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@ In an electronic cash implementing method, a 
user makes a bank apply a blind signature to user 
information Vi produced, by a one-way function, 
from secret information Si containing identification 
information, thereby obtaining signed user informa- 
tion. Further, the user makes the bank apply a blind 
signature to information containing authentication in- 
formation Xi produced, by a one-way function, from 
random information Ri. thereby obtaining signed au- 
thentication information. The user (200) uses an in- 
formation group containing the signed user informa- 
tion, the signed authentication information, the user 
information and the authentication information, as 
electronic cash for payment to a shop. The shop 
(300) verifies the validity of the signed user informa- 
tion and the signed authentication information, and 
produces and sends to the user an inquiry. In re- 
sponse to the inquiry the user produces a response 
Yi by using secret information and random informa- 
tion and sends it to the shop. Having verified the 
validity of the response the shop accepts the elec- 
tronic cash. 
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@ In an electronic cash implementing method, a user makes a bank apply a blind signature to user information 
Vi produced, by a one-way function, from secret information Si containing identification information, thereby 
obtaining signed user information. Further, the user makes the bank apply a blind signature to information 
containing authentication information Xi produced, by a one-way function, from random information Ri, thereby 
obtaining signed authentication information. The user (200) uses an information -group containing the signed user 
information, the signed authentication information, the user information and the authentication information, as 
electronic cash for payment to a shop. The shop (300) verifies the validity of the signed user information and the 
signed authentication information, and produces and sends to the user an inquiry. In response to the inquiry the 
user produces a response Yi by using secret information and random information and sends it to the shop. 
Having verified the validity of the response the shop accepts the electronic cash. 
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METHOD AND APPARATUS FOR IMPLEMENTING ELECTRONIC CASH 

BACKGROUND OF THE INVENTION 

The present invention relates to a method and apparatus for implementing electronic cash through 
utilization of a telecommunjcation system. 
5 An electronic funds transfer eftipldying a telecommunication ^ysterfi is 'now tibfning ihto cbmnfion use. 
In general, a certificate which is convertible into money at a financial institution (hereinafter referred to 
simply as a bank), such as a draft or check, has a symbolic function of its own (Which guarantees its holder 
to the rights stated thereon). When handled^ in the telecommunication system, the certificate is digitized 
data, which can easily be copied and converted into money many times. This problem is encountered as 
10 weir in the imii|emejntation 61 eiectfbnic cash such as a prepaid card, because the prepaid card bari also be 
copied for illicit use to cbnveit'into money or purchase articles again' and again. " • 

As a solution to 'this problem; there has been proposed a scheme which ertiplbys a card having a 
computation facility and checks its double usage by suitably adapting data exchange between a card reader 
and the card during cashing procedure (Ghaum, Rat and Naor. "Uifiti'acbable' Hectrbnic Cash". Proc. of 
!5 CRYPTO, '88, for exarrifDlej; ' [,[';' [ ] " ''^ ^ - - 

The above-mentibned" Chaum/'et al. scheme may be briefly summarized in the following outline. 
Incidentally. user*s identification mfonriation (such as his account nuhnber, etc.) wll h^reinaftef- b^ repre- 
sented by lO; ' - ^ ^ * ; 

A description will be gii^eH first 'of ti^^ pi'ocedure for a user to have a bank issue electronic cash of a 
20 certain face value. *■ * ' . r.. i 

Step 1 : The user creates k random numbers aj (where i = 1 k) and uses a public one-way function 

g to obtain Xf. and y; from the following equations: >• 
^Xi = g(at);'';"J ;■ • ' '''[^ 

Yi = g(ai ©IdV'- ' .' ^ 

25 where i = 1, ...,.k.^, ; 

In the above. ® represent^ 'ah' 'Exclusive OR logic operation. 

Step 2: The user computes, by the following equation, the product Bj of a value f(Xi. yi) computed using 
a public one-way function f and the e-th power of a random number n. and then presents the value"Si to the 

30 Bi = r? X f (Xj , yi) mod n . ' 
where i = 1 , .... k 

The ediculatibn of B,- is preprocessing for obtaining. a signature- of the bank to::f(X|, yj) without auowing the 
barik'tb know its Gohtents; and wiif. hereinaftisr be- .called blind signature preprocessing: Here. a rhod b 
generally represents the remainder of the division- of an integer a by ;an integer b. . 
35 . 'Step-3: The bank makes the user open his ip and k/2 random numbers aj.and. r;: to.^onfirm that .the user 
•. has corr^btly executed - Stefis 1 and 2; The. fbilowing description will- be igiven on the: assumption, that the 
' •rahdom hurribers a- arid are: riot open 1. ..., k/2: ... . • 

' ■ Ste'p 4:- The baink- obtainis: the product of unopened k/2. values B, and raises it tb itha>d^th. power to 
compute 3 signature- D as indicated by the following equation. At the same 'itime. the bank : withdraws the 
40 cori*espo'nding^amount of hioney from: the user's account. ■ . 

D = n B i mod n 

i « I 



45 



50 



Step 5: The user computes, by th^ following equation, electronic cash C with the influence of Jhe 
random number n rembve.d..frbrn the signatui:e„Qi 

C = n r i nod n 
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At this time, the following equation holds: 



k/2 <i 

C = n f (Xi , yi) mod n . 

i a I 



ro 



75 



20 



The electronic cash obtained by this processing is equivalent to the value f(Xi, yi). directly applied with the 
signature of the bank. Here, e, d and n are created by the bank and satisfy the following equations, 
n = P X Q 

I = LCM{P - 1), (Q- 1)}, and 
e X d = 1 (mod I) 

where P and Q are prime numbers and LCM{a, b} generally represents the least common multiple of a and 
b. The bank publishes the information e corresponding to the face value of the electronic cash C and the 
key n and keeps the key d strictly confidential. 

The procedure for the user to pay with the electronic cash C at a shop is as follows: 

Step 6: The user presents the electronic cash C to the shop. 

Step 7: The shop creates and transmits a random bit string Ei E^z to the user. 

Step 8; For an unopened item i in 1 k/2, the user presents, to the shop, ai and yi when Ej = 1, and 
x; and (ai e 10) when Ei = 0. 

Step 9: The shop checks the validity of the electronic cash C by the following equation, u?ing the user's 
response and the public inforrriation e and n. 



C" = f (Xi , yi) (ood n). 

The method of settlement between the shop and the bank is as follows: 

Step 10: The shop later presents the electronic cash.C. the bit string E:, E^uz and the user's 
30 response (aj and yt, or x,- and (aj e ID)) and receives payment of the amount of money concerned. 

... Step 11: The bank stores the electronic cash C, the bit string Ei E(c/2 and aj (when Er = 1). or (ai'^ 

■ ID) (when E,- = 0). 

The scheme described above has its features in that it maintains user privacy and permits checking 
double usage of the electronic cash. 
35 Now. a description will be given first of the security for user privacy. Since the information B is obtained 
by randomizing the value f(Xi. yO with random numbers, the bank and a third party cannot assume the value 
f(Xi. y?) from the information B, Further, even if the bank and the shop should conspire, they could not 
associate the electronic cash C with the signature 0. In other words, it is impossible to know who issued the 
electronic cash C. Thus, the method proposed by Chaum. et al. does not allow the originator (i.e. the users 
^ j ^ to be traced back, and hence ensures the privacy of the user, such as his propensity to consume. The 

signature scheme used here will hereinafter be referred to as the "blind signature'* scheme. 

As the blind signature scheme, for instance, Chaum proposes in U.S. Patent No. 4.759,063 the following 
blind signature scheme utilizing the RSA encryption scheme. 

A user randomizes a message M with a one-way function Fca expressed by the following equation (1) 
^5 using a random number r: 

W = Fe A (M) = r*^ X M mod n (1) 

and sends the resulting randomized message W to a bank. This processing by the one-way function Fba is 

the blind signature preprocessing. 

The bank signs the randomized message W with a signature function Dba expressed by the following 
50 equation (2) to obtain a signed randomized message n, which is sent to the user. 

Q = DeA (W) =W'^A ppiod n (2) 

The user processes the signed randomized message Q with a blind signature postprocessing function 

He A expressed by the following equation (3): 

HeA(fl) = Q/r mod n (3) 
55 In the above, Ba, dA and n in Eqs. (1). (2) and (3) are to satisfy the following conditions: 

eA X dA 3 1 (mod X). 

1 = LCM{(P - 1). (Q - 1)}. and 

n = P X Q. ■ 
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where P and Q are prime numbers, LCM{a. b} is the least conimbri multiple of a and b. dA is a secret key, 
and Ba and n are public keys. 

Eq. (3) can be modified.asjoilcjwsj .. » , ' " V 
HeA(n) = Hca {DeA{FeA (fvij)y - (r^'^' )i Mj^^ a //^ r^A^^>^^A x Wi^ r = M*^a (mod n) (4) . 
5 The right side of Eq. (4) is evidently the replacement of W in Eq. (2) with M. Accordingly, the following 
equation holds: 

■ . HeAi(Q) :=..aeA((yi) (S).. ^ • . . . . : . . 

These- equations (1);: (2) and (3). arie;.representative of the blind^sigpature- proeedurevand Eq.. (4);- proves that 
the blind signature is possible. That is to say, the influence of the random number r can be removed from 

10 the signed randomized message Q by processing it with the blind , signature postprocessing function HeA- 
Hence, it is possible to obtain the same signed message DeA(M) as the message M directly signed by the 
bank using, the signature function Dba. •; ■' , ; V~ / • ?: i-^ ^ r . • 

Ne>ct, a descqptign will be- given of the detection of double usage of the "electronic, cash C. The bank 
compares the electronic cash C sent from the shop.:with-.all electrbnicj.cash already .stored. in-a merriory to 

fs check whether the sarrie . electronic cash. G has .beeci used .twice. Suppose that the user hSs invalidly used 
the electronic cash twice. Then, sine^ Stfor-Ej = ij or,(af. ® ID) for E, s. Q has b.een stored in' the memory of 
the bank corresponding tp .the first ;e.iectrpnic cash Ci . the identification information ID: can be obtained by 
computing a? e .{at m |D)..if Ej for the: first .use of the: electronic cash G and. Ef ^for the second- use differ. Since 
the bank makes an inquiry of k/2 bits, the probability of coincidence. through;:an bit5.(i; = 1 to )d2) between 

20 the two. Ejis. that isv the possibility that the. user's io cannot be computed^ from the electronic cash C used 
twice invalidly. is a**^. 

In addition to the requirement for the one-way property of the functions f and g. the above-described 
Ghaum. et ai. scheme requires the collision-free property of two arguments, that is. difficulty in finding (x, y) 
and (X . y ) which satisfy Z-:== f(^., y) f f()?^. y') for securing safety against double usage of electronic cash. 
25 However, no method has been proposed so far whfch constructs the one-way functions which satisfy the 
collision-free property of the two arguments. 



S^UMMARY GF THE INVENTION 



30 



Accordingly.' itMs ah objisct'df fe prbvide an eiectrohic Cash ihnpteitienting method 

and apparatus therefor which permit checking of double usage of electronic ciash'withbU^ h^ed^sitating the 
' ' uSfe of the' fuhctio'n' 1 ih^/olving a* Specific requirerriierit arid which ensur^ usfer privacy . ' ' ' ' 

The electronic cash implementing method according to the present inventibh iis A rtii^thod for use in 
35 electronic' ca^h prob^^sin^ in which a us^i* us^s^iedtroriic cash issued ffdrti a bank, and k shop receives 
and settles it with the bknk. ' , " ' - . ' : ' . 

• The user generates' user' information (Vi) from* secret information (Si)' cdntairtihg his identification 
infdi'niatidn (ibpi' in a I'aw ifbrfn." creatfeis randomized user information (Wi) by raridbrfiiiing the user 
information (Vij or in^drniatidri XMi)' dontaining it through u^e of a blind signature preprbtesso'r. and sends 
40 ' the raridorhiied user infd^^ . > ■ 

The banic signs; the rindorhized user iri^ by' the use' of sighirig etjuiprineht and then 

transmits the signed-r^hdbriiiz6d uSe^ 

The user removes, by a blind signature pbsfptoceisSbt', the iriflu^nce of the raridoriliz^tibri from the 
sigried-f^ridbtnized us§r infdmriktiori feCeiVed frdrii the^Barik, thereby bbtairiirig Sighed us6r information (Bvi, 
45 Bi. or 8) signed by the bank. ^ . . ■ 

The user generates authentication information , p<i) from random' riurriber irifornikfibh (Hi)' through use of 
a first- mesisage fcalculatd'r and r^ridoni'iifes (He' authentfcatibri' inform afibn' or' iriforrhiatibri in cbhfeining it by 
the blind signature preprocessor to obtain randomized authenticatidii information (Zi or 2), which is sent to 
the bank. . . ' . ' 

50 The bank sighs the ^aridortiized '^utHeriticatldri infdrmd^ {i\ of 2) by the signing" equiprfierit and then 
sends the signed-randomized authentication information (Bi or 0) to the user. 

The user rembves the ihfluetide 6f rahdb'nriizatibn fi-pril the si^ried-i'anddmized authentibation information 
by the blind signature postprocessor to obtain signed auth^riticatidri informdtion (Bxi dr C). 

When purchasing an article at a shop, the user presents, as electronic bash; the* uWr iriforWiation, the 
55 authentication irifbrnlatibn. this signed user information arid the signfed'authenticatidh inforriiation. 

The shop verifies the validity of the signed user information and the signed authentication infonmation 
by use of verification equipment. Further, the shop sends to the user ah iriquiry prepared based on 
information of the shop itself. In response to the inquiry from the shop the user presents thereto a response 
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(Yi) prepared through utilization of the secret information (Si), the random number information (Ri) and the 
inquiry. 

The shop checks the response to verify that the user tnfcnnnation and the authentication information are 
the user's information, and hence the electronic cash is valid. Then the shop sends the user's presented 

5 information, the inquiry and the response thereto to the bank for settlement of accounts. 

The bank verifies the validity of the signed user information and the signed authentication information 
by means of verification equipment. Having confirmed the validity of the both information, the bank makes a 
check on its memory for the presence of the same pair of information as the pair of received user 
information and authentication information. If the same pair of information is found, the bank computes the 

w secret information of the user from the two pairs of user information and authentication information to 
identify the user, if the same pair of information is not founds the bank stores the received information in the 
memory. 

As described above, according to the present invention, since the blind signatures is applied to each of 
the user information prepared from the secret information containing the identification information and the 

fs authentication Information based on the random number information, functions for producing the user 
information and the authentication information do not encounter the problem of the two-argument collision- 
free property. Hence, desired functions can be constructed. 

Moreover, if the signed user information once obtained is used as a license (Bi or . 8} issued by the 
bank, and if the afore-mentioned signed authentication information obtained by having the bank sign 

20 information which has the authentication information (Xi) and the license (Bi or B) concatenated as required, 
is used as an electronic coin issued by the bank, then the procedure for issuing the eiectrohic coin can be 
simplified, besides the electronic coin can be transferred and/or used more than once. ^ 

25 BRIEF DESCRIPTION OF THE DRAWINGS . 



Fig. 1 is a diagram showing the relationships among a bank 100, users 200 and shops 300 to which 
the present invention is applied; 

Fig. 2A is a flowchart showing the procedure for the issuance of an electronic cash between the bank 
30 100 and the user 200 in a first embodiment of the present invention; 

Rg. 2B is a flowchart showing the procedure for the use of the electronic cash between the user 200 
and the shop 300 in the first embodiment of the invention; 

Fig. 2C is a flowchart showing the procedure for the settlement of accounts between the bank TOO 
and the shop 300 in the first embodiment of the invention; . , 

35 Fig. 2D is flowchart showing a double usage checking procedure by the bank 100' in Fig. 2C; 

Rg. 3 is a functional block diagram of the user 200 in the first embodiment of the' invention; 
Rg. 4 is a functional block diagram of the bank 100 in the first embodiment of the invention; 
Rg. 5 is a functional block diagram of the shop 300 in the first embodiment of the invention; 
Rg. 6A is a flowchart showing the procedure for the issuance of a license between the bank 100 and 
40 the user 200 in a second embodiment of the present invention: 

Rg. 6B is a flowchart showing the procedure for the issuance of an electronic coin between the bank 
100 and the user 200 in the second embodiment of the invention; 

Rg. 60 is a flowchart showing the procedure for the use of the electronic coin between the user 200 
and the shop 300 in the second embodiment of the invention; 
45 Rg. 6D is a flowchart showing the procedure for the settlement of accounts between the bank 100 

and the shop 300 in the second embodiment of the invention; 

Rg. 7A shows functional block diagrams of the bank 100 and the user 200 in Rg. 6 A; 
Rg. 7B shows functional block diagrams of the bank 100 and the user 200 In Rg. 6B; 
Rg. 70 shows functional block diagrams of the user 200 and the shop 300 in Rg. 60; 
50 Rg. 7D shows functional block diagrams of the bank 100 and the shop 300 in Fig. 6D; 

Rg. 8A is a flowchart showing the procedure for the transfer of an electronic coin between users 
200a and 200b in the second embodiment of the invention; 

Rg. 8B is a flowchart showing the procedure for the use of the transferred electronic coin between 
the user 200b and the shop 300; 
55 Rg. 80 is a flowchart showing the procedure for the settlement of the transferred electronic coin 

between the bank 1 00 and the shop 300; 

Rg. 9A shows functionai block diagrams of the users 200a and 200b in Rg. 8A; 

Rg. 9B shows functional, block diagrams of the user 200b and the shop 300 in Rg. 8B; 
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Fig. 9C shows functional block diagrams of tlie bank 100 and the shop 300 in Rg. 8C;... 
Rg; 10.|s a flGy/chart^.shovving the procedure for the use of an electronic coupon coin between the 
user;:200 and^lhe shop 300 in the second ernbodirriecit of th.e ;inyerition; 

Rg.. 1 1. shpvys.functiqnal block diagrams of the user gOO and the shop: 300 in . Fig. 10:, . : 
5 Rg. 12A is. a- flowchart shpy/ing the RrpGedure.|»etvye^n the. users 209a and .200i3.fpr the transfer of 

the electronic coupon coin in the second embodirnent 
. . . , Rg; .l2B: is. a flowchart showing the procedure ^ 

. ,v.' Fig.v1:3A;Shows functipnat bipck diagrams of. tt^e users- 2ppa and. 20pb in Fig. 12A;.and. . . 
• fig..;! 38 shows. functional, block. diagrams of the user 20pb and th,e shop 300 in (fig. .12B. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 

. Figi 1 ijlustrates . jn. tjIocK- form th^^ reIationship$ .among ^ bank., a user and a shop tp which the 
elecfronic cash.-implementing method of the present invention applied Ip Rg. 1 .the bank. 100, the users 
;s 200 and. .the shops 300 are interconnected via teiecqmrnynicatipn tine.§, fqr instanqe,. but they, may also be 
connected, for example, via a smart card, on. yyhich inform a^^^^ 

[First Embodiment] . , - ...... 

When rec.e(ving from the user 200 a, request to issue electronlG cash, the bank checks the identity of 
the user 200 and then withdraws from his account an amount of money corresponding to the requested 
electronic cash, or after receiving cash from the user 200 the bank 100 issues a proof of the receipt (signed 
user information and signed authentication information which form part of . information- constituting the 
25 electronic cash as described later) to the user 200 through use of the blind signature scheme. 

W.l^en mailing payment, to the. shop. 3pQ. th^ user. ?0.0 presents the proof to the shop 300 and in 
response to its inquiry presents a response prepared from, secret information .and., random number 
J.nfprmation used: for gener^tin^ information and authentication information, respectively. 

Next, a detailed descriptioii .will be giyea of the. case where the user 200 using IDp as uspr identification 
i 5p . . i.nfprmatiQn has, t^ " 

In order that the RSA cryptosystem. is . employed ..as . an e|xampie. in the biind signatur^. scheme which is 
. used in the, electronic p^sh iissyance^proceclure, the bank first determines various. ^required parameters so 
that they satisfy the following conditions:.; ^ . , ^ .... . .. . ..... 

n=-PxQ , ..^ ... . . ^ '.•■■■)■::. . 

35 e X d a 1 {mod -.^ ^y-.- , . . . . 

. wher^ t = L^^^^{F^- l). (Q -;1)^.v , : . 
The . bank computes e. d and; n^ publishes, the keys e and n but keeps the key d in secret. The face value of 
the.electrpriiG cash which the feianH, issues is fixed, and the public key e. corresponds tp the fixed amount of 
money. . ■ ■ y.- . ... .. . . ^ • ■ . . 

. 4Q ■ =,. .Ir>.the abpy^_LG.M(aj b) represents the least- £otprT)on,mu!tipie..of. int^^ a ^nd ;b..a.nd P and Q are two 
large different prime numbers. Fju.rther... a s.Jb (mod 4) reprejsents .that a b ,is: an... integral mMitipIe of t. The 
. way of , determining such various parameters is described in-R.L, Riyest, et al.i "A Method for Obtaining 
Digital Signatures and Public-Key Gryptosystems'\ Cornrnunicati.qns;^ 21. .No. 2, pp 120- 

.1-26; 1978, fqr example. . ■ , 

45 Next, the user 200 generates user. jnfornnatiQn. Yi. from secret information Sj containing his identification 
information -IDp intact, by: the: use; qf a predetenpined first one-way. fun^^^ authentication 
information Xi, from : random ^nufnbe^;'^M ^ second ope.-way function. The user 200 

has the bank 100 sign the user information Vi; an<j the authentipatipa information Xi through use of the blind 
signature; sGhem©.^ The.. reason for using., th^ . blind signature scheme Js. to protect the privacy of the user 
50. ../-from a conspiracy of the. shop 300 and the bank 100. in the present invention it is significant that the secret 
information Si contains the raw identificatip.n information . I Op: . 

Thq- :Wmd..Sjgnatu.r^^ scheme; in the processing .between the bank and the user in the following 
description utilizes the RSA cryptosystem (see the aforementioned Riyest et aU ^cie) as js the case with 
the blind signature. scheme disclosed in !U.S. Patent.No; 4,759.06340 Cinaum. but a iDiirid signature scheme 
55 employing authentication with interactive property {see U:S.. Patent Appjica^on No, ,367,650. filed June 19. 
1989, for example) may aisp.be us.ed. . . . . ; . 

,Rg. 2A .shows, the,^ procedure for the. user to have the bank iss.ye- electronic cash, and Rgs. 3 and 4 
show the arrangements of the user 200 and the bank 100, respectively. In the following description, i = 1. 
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Step Si : The user generates a random nunnber ai by use of a random generator 21 1 and supplies it to 
signing equipment 212, along with the identification information IDp. The signing equipment 212 is to apply 
a user's signature to the concatenation of the random number a, and the identification information IDp, and 
. 5 its signed output g; is represented by gi = GCa,- 0 IDp), where G is a signature function. The symbol 11 
indicates the concatenation; for example, 01110 II 110 = 01110110. 

Step Sj: The output as of the random generator 21 1 and the output gi of the signing equipment 212 are 
input into a concatenator 213 to create the secret information Si. The secret information Si is a 
concatenation of the information IDp, the random number at and the signature gr as expressed by the 
70 following equation, and hence contains the identification information IDp intact. 
Si = IDp y as II g, (6) . 

Further, two prime numbers PI and Qi are generated by means of a prime generator 221 and their 
product Ni is obtained by a multiplier 222. 

Step S3: User information given by the following equation, which is a first one-way function, is 
75 computed by a modulo power calculator 223 from a prime number Li, the output Si of the concatenator 213 
and the output Ni of the multiplier 222. 
Vi =. Si*^ mod Ni (7) 

On the other hand, authentication information given by the following equation, which is a second one- 
way function, is computed by a modulo power calculator 225 from secret random information Ri produced 
20 by a random generator 224, the output Ni and the prime number U. 
) Xi = Ri"-* mod Ni (8) 

- . . . Since Li and Ni are used as parameters fomiing the one-way functions expressed by Eqs. (7^ and (8). they 
will hereinafter be referred to as parameter information. . . 

Step Si: Preprocessing functions for randomizing the user information Vi and the authentication 
25 information Xi with randomizing random numbers t\ and n in blind signature preprocessing -^are one-way 
functions, which are generally expressed by Fe as shown below but need not always be of the same form. 
Wi = Fe { n , Vi } (9) 

Zi = Fe{ri' , Xi } (10) * ' 

In the embodiment illustrated in Rgs. 2A and 3. this preprocessing takes place in the foilowing manner 
30 Randomized user information expressed by the following equation is computed by" a modulo 
multipfication/power calculator 227 from the randomizing' random number u from a random generator 226, * 
the user information Vi from the modulo power calculator 223 and the public keys e and n. 
Wi = Fe { ri , Vi} = r? x Vi mod n (11) • - ^. -u 

On the other hand, randomized authentication information expressed by the followirig equation is 
35 calculated by a modulo multiplication/power calculator 228 from the randomizing random number r/ 
generated by the random generator 226. the authentication information Xi generated by the modulo power 
calculator 225 and the public keys e and n, 
2i = Fe { n' , Xi } = r,'^ x Xi mod n (12) 

The user sends the randomized user information Wi and the randomized authentication information Zi 
) 40 to the bank- 

The random generator 226 and the modulo multiplication/power calculators 227 and 228 constitute a 
blind signature preprocessor 20A. 

Step Ss: Upon receipt of the randomized user information Wi and the randomized authentication 
infonmation Zi from the user 200. the bank 100 stores them in memories 101 and 102, respectively (see Rg. 
45 4). 

Next, the bank 100 makes the user TOO open k/2 sets of information (Si. Ri, n , r-, Li, Ni) to check that 
the user 100 has correctly inserted his identification information IDp in each secret information Si, and then 
verifies, by the following procedure, that the user 100 has correctly performed Steps Si through S*. 

Step Se: The bank 100 decides items ij (where i = 1 k/2) for specifying the k/2 sets of information 

50 (Si. Ri, Tu u, Li. Ni) which the bank 100 demands, the user 200 to open, and sends the item group U = {ijli 

= 1 k/2} to the user 200, The following description will be given on the assumption that i = 1 k/2 

are items for unopened information. 

Step S7: Upon receipt of the demand from the bank 100. the user 200 sends k/2 sets of information {Si, 
Ri, r;. 0 , Li, Ni} corresponding to the respective items i specified by the bank 1 00. 
55 When an i is the item to be opened, the bank 100 performs procedures of the foilowing Steps Sa 
through S10. 

Step S3: When the i is the item to be opened, it is checked whether the IDp has been inserted at a 
predetermined position in Si, and if yes. the following calculations are performed by modulo power 
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calculators 111 and 121 from the information {Si, Bi, Li. Ni} received from the user 200, 
Vi' = Si^ mod Ni ' ' . ' . 

Xi' = Ri*^ mod "■ ' ; ... . . .. 

Step S3: ih6 fdlldWihg caiculatioris fre pe^formbd by modulo power calculators Yl? and 12^ from the 
5 outputs Vi' and Xi' diF the mbduld rhultiplicatipn/power calculators 112 and 121..the .recaiyed information n 
and u and the public keys e and'n. ' ' ' \ ' \ . , . ^ \ . . - 0 

Wi'''= rf X vi' mod n • 1. > ... . . . 

, Zi'- =i X Xi * mod n " * ' ' . 

Step S10: The value Wi stbi'ed in the rriemory idl and the 'output' V/i' oif the mpdilfe" '(^^ calculator 
10 112 are compared by a conrtparatdr lli3. the value Z! stored in the mefnory 102 ahd'the butpiit Zi of the 
modulo power calculator 122 are also compared by a comparator 123. 

• In this Way, the bank i 00' conducts the abdv#'dhecks for ail of the k/2; items i!'ahd if any one of them 
shows disagreement, then no further processing will be dbn'e. When agreerfients are obtained for all the i's. 
then the bank fOO withdraws the amount of inoney concerned from the user's account or after receiving the 
15 anibuht of money cbncem^'d frdni the* user the bank 'performs the fbl lowing procedure for the i which is not 
the item to be opened. .," , , 

Step Si 1 : Based on the public key n, the secret key d and the values Wi and Zi stored in the memories 
-101 -arid l62;* sigri^d-handoiriiiied us^r jrifbrmatioh 61 arid'sighed-raridomiz^d authehtiC^^^^ 9i 
expre^^ed by the foiioWtng equaitibhs. respectively, are calculated by modulo power calculatc^^^^^ 131 and 
20 141, and the both pieces of information % and 0i^i^^ ' . ; 

Oi = De(Wi) = Wi<* mod n. (13) 
• -el ^'DetZij ='Zi*^''mddW -'^^y^-- Y^^v^ ; V ' " ' , ' ■^v :v :/ '• ' ■ ; ' ^ ■ ; 
The processing expressed by Eqs. (13) dnd (14) is the' Sigriatui^e applied tby the" bank 100 to the 
raridofhiied-'Usei' inY6YWaiion\ Wi ' ahd*y^^^^ randGftii^ed authenticatiori ihffirrhafioh .Z^^ called a 

23 stgnkture' fohttlbrt. tHy'mbdtil6''pbwer caidUlatbrs 131 and I4i constitute signing equipment VOA!!" 

St6'p Si'2: Haviiig received' the*' signed-random user irtfbrrriatibri Qi and' the 'sigried-candomized 
authentication information 0i from the bank 100, the user 200 performs the following' ealculationi5.iy modulo 
dividers 231 and 232 on the basis of the above-mentioned information.;pi and Gi deceived from the bank 
TOO/fe r^ndbrtiizihg random numbers r,- aind n generated by the r^ndbm gQnerat6r^26 .and the, public key 
30 ri, thereby bbtaihing signed 'user information' Bvi and signed; ayth^htic?^^^^^ are free 

from th^ influence of the Tdnddmizirfg random numbers h arid' n' dhd equiyaje^^^^^ having 
the bank 100 sign directly dn the uisier irtfbrfnatibh Vi and the autheriticaitibh Jhforrti.a^^^^ 
BVi = He C n , Qi } ^UUu mod n (15K ! ' ' ' ' ' " . 

BXi'= Hfe'{ri\ ei } = ei/Ti' fridd n ' ' ; ; ; ' 

35''-' ' ' Substitutilni^ Eqs. (11) arid (13) into Eqv'OSj and Eqs. (1'2) and (14) irttb Eq. (IS), the fdllqwirig equations 
• hold; ■ • v: ■ ^ • . ■ - 

BVi = He { n . Qi } = r,« =^ Vt'^/ri a Vi** mod n = De{Vi) ' 
BXi = He { r,'.ei } = r'i^ '^^x Xi<*/ri' 3 Xi^.mod n = Cie(Xi) ' 

these' W^b e'qdatibhs Show that the ' prbcessiri^ by the user ' 200 dh the stgn^d-randomized user 
40 information fii and the signed-randomized authentication information ei by use of the function' He provides 
' ' th^ resufe De(Vi)' arid •De(Xiy 6^ dii'ecf processing by the b^nk, iod oh the ^er ihfbrm^tio^^^ and the 
authentication information Xi by use of the signature furiction De. In' other words;, , the Turi^^^ removes 
the influence 'of the 'raridbmizihg random numbers rj arid r/ from the" sighed-randbrhiz^^ user information 
' and authentication 'infoi'mation Qi' ahd 91. The processing' for ' rerhdvihg" the of the randomizing 

45 random numbers 0 and 0' will hereinafter be referred to as the, blind signature postprocessing and the 
function He stk the pbstprbdessm^ fiindfibri. The mbdyio dividers ^31 ^nd| 23^ cbh'stjtute a bl^^^^ postproces- 
sor 208. The user^Dd Uses the set of iriifd^hiatidn {Vi, Bvi, Xi, Bxl} as elecfrpnicxash. \ ' ' ' 

Next, a de^criiDtibh wiii be given of the Case wKSre th^ user '200 pi^y^ witli/§lectrbriic ca.sh 4t the shop 
300. Fig. 2B shows an exanipie of the procedure" between' the Uiser 200 arid the shop 300, ^9 Fig. 5 shows 
so' in block ifbVm'th^ cdnfiguration oMhe shop Sod. '^'^ ' ~ ' \ ''[ 

Step' §13: The user 200' sends elebtrohic cash {Vi, Bvi,' Xu Bxi} ari'd'paramieter irifbrmatipn {Ni. Li} to 
the shop 300. ' ' ' " '' ' * * ' 

Step Su: Having received the electrbnib ca^h {Vi, Bvl,* )<i. Bxi} arid the ihfdrhiatibn {Ni;' U.}, the shop 
300 stores them in d rilemofy 301 arid at'tHe sarhe tinrie calculates thS Ibild'^ verifTcatidh. fliribtions VFe 
55 by mbduld power calcui^tbrs 311 and 312. * . . 

Vi' = VFe{Bvi} = Bvi» mod n 

Xi' = VFe{Bxi} = Bxi^riiod ri" ^ " / 

Step Si 5: the shop 300 ch^'dks, by comparators 313 and 312, as to whether k/2' calbuikted results Vi' 
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and Xi' and the corresponding information Vi and Xi received from the user 100 are equaJ to each other (i 

= 1 k/2). By this, it can be determined whether, the signature applied to each of the signed user 

information Bvi and the signed authentication information Bxi is taie or not. 

Step Sis: When the k/2 calculated results are found good, the shop 300 generates k/2 random numbers 
s 71 by a random generator 321, stores them in the memory 301 and then transmits an inquiry qi including 
shop identification information IDv. time t and the random number 71 to the user 200. At the same time the 
shop 300 calculates 
B = f(qi) = t(IDv. t, 71) 

by an f-calculator 322 which calculates a public one-way function f. Hereinafter, it is assumed that an 
* TO inequation 0 < Ei < Li holds. 

Step Si 7: Upon receipt of the inquiry qi = {IDv, t, 71} from the shop 300, the user 200 calculates 
Ei = f(IDv, t. 7i) 
by a public f-caJculator 241 . 

Step Sis: The user 200 inputs the output Si of the concatenator 213. the output Ni of the multiplier 222. 
15 the output Ri of the random generator 224 and the output Ei of the f-calcuiator 241 into a modulo 
multiplication/power calculator 242 to calculate a response Yi by the following equation which is a one-way 
function: 

Yi = Ri X Si^' mod Ni (17). 

Then the user 200 transmits the response Yi to the shop 300 (i = l k/2). 

20 Step Sis: The shop 300 verifies the validity of the response YI from the user 200 by calculating 
Ai = Xi X Vi^* mod Ni (18) 
with a modulo multiplication/power calculator 331 and 

Ai'=Yi"m6dNr (19) ' " ' ~ " " 

with, a modulo power calculator 332. 
25 Step S20: It is checked by a comparator 333 whether Ai and Ai' coincide with each other (i =-1. .... 
k/2). 

The modulo power calculators 311 and 312 and the comparators 313 and 314 constitute verifying 
equipment 30A for verifying the validity of the user information Vi and the authentication inforrriation Xi. The 
f-caJculator 322, the modulo multiplication/power calculator 331. the modulo power calculator^ 332 and the 
30 comparator 333 constitute verifying equipment 30B for verifying the validity of the response Yi. Althougih in 
the above, processing for all of the i's (i = 1, k/2) is performed in each of Steps Sie through S20, 't^^s ; 
also possible to repeat Steps Sis through S20 for every i. 

Next, a description will be given of the settlement of accounts between the shop 300 and the bank TOO: 
Rg. 2C shows an example of the procedure therefor between the shop 300 and the bank 100. 
35 Step S21: The shop 300 presents the electronic cash information {Vi, Xi, Bvi. Bxi}, the parameter 
information {Ni, Li}, the inquiry {IDv, t, 7;} and the response Yi to the bank 100 (i = 1 , .... k/2j. 

Step S22: Having received the above information {Ni, Li, Vi, Xi. Bxi, Bvi. IDv. t. 71. Yi} from the shop 
300, the bank 100 inputs the public keys e and n into modulo power calculators 151 and 152 to calculate 
the following verification functions VFe: 
40 Vi' = VFe{Bvi} = Bvi^ mod n 
Xi' = VFe{Bxi} - Bxi^ mod n 

Step S23: It is checked by comparators 156 and 157 whether the values Vi and Xi are equal to the 

received information Vi and Xi (i = 1 k/2). When they are equal, it is determined that the signature 

applied to the information Bvi and Bxi is true. Hence, it is determined that the information Vi and Xi bearing 
45 the signature are also valid. 

Step S2i: When all of such calculated values are found good, the bank 100 calculates 
B = f(qi) = f{lDv, t, 7i) 
by an f-calculator 153, 
Ai = Xi X Vi^ mod Ni 
50 by a modulo multiplication/power calculator 154 and 
Ai' = Yi"^ mod Ni 
by a modulo power calculator 155. 

Step S25: The bank 100 checks by a comparator 158 whether the values Ai and Ai' coincide with each 

other (i = 1 k/2). By this, it can be determined that both Di and Yi are valid. 

55 Step S2s: The bank 100 stores in a memory 161 the information {Ni, Li. Vt. Xi, Ei, Yi} (t = 1 k/2) 

presented from the shop 300 and pays the amount of money concerned into the account of the shop 
identification IDv. 

While the above embodiment utilizes the authentication scheme with interactive proof system based on 
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the difficulty of the calculation of highier degree roots, a sirnilar, system can also be implemented by such 
authentication scheme with aractive proof system as disclosed iri. M. Tompa an<^ H, WqII,, "Random Self- 

- Reducibility and Zero .Knc . ;dge. Interactive Proofs of Possession 'of Information". tlhe Proc. of FOCS, 
19[87. pp. 472-482. . ... . - . - V(.>, ' 

5 . .Incidentajjy, .since the. autb^ntic^tipn. sqheme with interactiye^'^^g^^^ the 
requirement of soundness property, the identification infomnation IDp of the user will be reye^leci, if he uses 
the same pair of user infonmation Vi and authentication information Xi twice or. more. . . ^ 
\ . Next, a description will be, given of the d^teqtion .of iriyalid double usage, of the electrpnic cais^h. 
As described above, when the user 200 uses the electronic cash as a payment to the .shop 300, the 

;q latter sends, the inquiry ,qi.. = {!Dv. t y{} to the formi^r. Since, the inquiry contains the ide^^^^ 

information iDv. time t and the random number yi, the identiification information Ipv differs with shops and 
the information t also differs with time even at the same shop. Accordingly^ if the y'ser 200 fraudulently uses 
. the same efeqtrqoic cash,.tvyice. a.ny one of the contents of .the. inquiry (IDy, 't, proyided 'by 'the shop in 
response tp the second use will naturaily . differ from the. cbrrespoociing piece of information . in the first 

15 inquiry; hencei it can be expected th^t Ei = .f((ipv. t,.7i) will also, differ, ,thus. the 'corresponding response Yi 
will also differ as seen from Eq. (17). do'nsequentiy, if the electronic cash should be used twice, the bank 
would have two different pairs of infonmation (8 and Yi) for the same pair .pf. information ' (Vi and Xi). Now, 
let these pairs of information be represented .by. (Ei, Yi),and (E\\ Yi'),^ respectivefy; Since these pairs of 
information both satisfy Eqs. (18) and (19) in Steps. Sis and 820, the following equations hold: 

20 Yi'^i )d •'Vi^,(mod Ni) ■ (20) ' 

Yi'^sXi • Vi^» (mod Ni) (21) . . - • • 

From this, the following equation is obtained: * ' . ' 

(WYi')'^ 3 Vi^-^' (mod Ni) (22) 

. . Further,, since Si 3 Vi (rnod Ni) holds,, the following equa^^ 

25 ' (YiA^i') s Vi^'-^ (mod Ni)" '(23)"''' r'- ■ ' • : ' 

Here, sinice Li is a prime ntimber. Li and Ej .TEi are mutually prime, and integers q and. j3 which satisfy 
. the foHowlng. equation can. be caicuiate^^^^ ■ , \ . 

' a X L +.j8:x (B-s');= ;(?4);!; .. ' ""V- -'-m .'V-'"'' . • 

Accordingly, it follows that ' . 'V, . ./'\ ' . . . " „ ,.>. . . .. * . 

30. yi"* X (Yi/Yi-)^ 3;si'° * ^' ^ ^^'"^^^^ =^ s;i (mod Ni) ' ,:(2!|) ^ ■ 

thus.- the secret information Si can be . calculated... S the user 

. identification inforrnation IDp in the raw form, . it is pp^sibfe'to.sgecify-lh^^^ usedjhe.electronic cash 

frauduieritlyl ' . [^."'.'^'"..'W'. ^ ''-' ''^'^-^ ^^^y -;' '^■■^^ ^ ^ 

.TTie ^boy^-descrijbed "double lisag^ dete inserted between Steps S^s/^^^^ Szs in Fig. 

35 26, foi" instance. .This procedure will be described, below with reference to Figs^ 2D. arid 4; 

. . .Stiep Sci; "Rte bgnk. lQO searches the memory iS'l for the' presence ^cf-.fhe same information as the 
received, one {Vi,,Xi), If the same information is not found., the bank' 100 proceeds, to Step Szs. in Fig. 2C, 
and if the same information is found, the bank 100 proceeds to. the next step. 

Step Scz: The information (B . Yi ) con-esponding to the received information. (Vi, )0) js read out of the 
40 memory 161. ' ' 

Step Sea: The integers a and which satisfy Eq. (24) are obtained by a Edcfid's algorithm calculator 

" . . . Step ,Sg4: Yi,. Yi' and Ni are input into a modulo divider . 171 to calculate Yi/Yi'^ mod Ni. and the 
calculated result, a, & and Ni are input into a modulo multiplicatfon/povyer calculator ^.1^ the 
45 aforemention^d.equ^fion (25) is. calculated, thus obtaining the secret infQrrpation.,S'i. , ; 

Step Scs: The user identification information IDp "is extracted fronn the secret, information Si. 
As described above, according to the present invention, the inforrpatiori' Xi based on the secret 
information Si containing the user identification information IDp in the raw fqrrri arid the infonriaSon Xi based 
on the random number information Ri are indiyidualjy subjected. tp .the blirid stignature preprocessing (Step 
so S* in Fig. 2A). This precludes the problem of such two-argurrierit coUision-free . property of the one-way 
function f(Xi, y;) as is needed in the Chaum, et al. scheme. Cgnverseiy .^speaking,, . the , Ch^ et al. 
. .^ . electr<)niCj Qa.^h scherne calls for the. two-argument cpllLsion-free .property ^partly . because ^.^^^^ one-way 
function f contains, .as, parameters, both of the injprnnatipri''.,i^^^^ random ..fi urn ber and the 

. inforrnatiop yy based pn , the identification information ib and R.artly be.cau^e.the information "y; is correlated 
. . 55 byjjthe randpm number with the identification information ID. that i?^^ th?,into''rpati9n. yi is.,cprrelated with the 
information Xi. - . ". .„*.." . 

. Incidentally, as mentioned just abpve, the pieces of information (Vi,, Wi}^. and {Xi. Zi}, according to the 
present invention are processed independently of each other,' and the pieces' of inforrnktion Qi and 9i 
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obtained after the blind signature processing by Eqs. (i3) and (14) are also processed independently of 
each other. Moreover, the pieces of signed information Bvi and Bxi obtained after the postprocessing of the 
above pieces of information by Eqs. (15) and (16) are also processed independently of each other. In other 
words, the information sequences {Vu Wi. Qi. Bvi} and (Xi. Zi, ei. Bxi} are processed independently of each 

5 other until the user obtains the electronic cash after demanding the bank to issue it. In the process, in which 
the user uses the electronic cash as shown in Rg. 28, the secret information Si and the random information 
Ri are correlated by one function for the first time at the stage of generating the response Yi to the inquiry 
from the shop in Step St 7. This means that the processing for the information sequence {Vi. Wi. Oi. Bvi} 
and the processing for the information sequence {Xi; Zi, 9i. Bxi} in the process shown in Fig. 2A may be 

10 executed at different times and under different situations. This is utilized in a second embodiment of the 
present invention, which wilt be described below with reference to Figs. 6A through 6D and 7A through 7D. 



[Second Embodiment] 

75 

In the second embodiment the bank 100 issues a license to the user 200 once, and each time the user 
200 wants the bank 100 to issue him electronic cash, he has the bar^k 100 only certify a piece of 
information containing both the license and the random information, thereby simplifying the procedure for 
the issuance of electronic cash. Eventually, in the procedure for issuing the license an information sequence 
20 corresponding to the afore-mentioned information sequence {Vi, Wi. ni, Bvi} related to the secret 
information Si is successively processed, and in the procedure for issuing electronic cash based on the 
issued license an information sequence corresponding to the afore-mentioned information sequence {Xi. Zi. 
8i. Bxi} related to^he random information Ri is successively processed. In this example the electronic cash 
which is issued in a simplified form by the simplified procedure will be referred to as an electronic coin C. 
25 A description will be given first, with reference to Figs. 6A and 7A. of the case where the user 200 who 
has opened an account with the bank 100 has the latter issue a license. Here. IDp represents. identification 
information such as the account number or the like of the user 200. 

The bank 100 creates, as information corresponding to the license, a pair of secret key dA and public 
key eA which are to be used for the blind signature processing, and makes the key eA public. In the blind 
30 signature scheme, as described previously, the user 200 who wishes the bank 200 to apply its blind 
signature to a certain message M, randomizes the message with the blind signature preprocessing function 
W = FeA(r. M) using the public key Oa and the randomizing random number r to obtain a randomized 
- message W. which is sent to the bank 100. The bank 100 applies its signature to the randomized message 
W by a blind signature processing function Q = DeA(W) using the secret key dA and then sends the signed 
35 randomized message Q to the user 200. The user 200 removes the influence of the random. number / from 
the signed randomized message Q with a random number removing .function HeA(n) using the random 
number r used for generating the randomized message W. by which the user 200 can obtain a signed 
message OeA(M) bearing the signature of the bank 100 corresponding to the public key Ba- Here, fe^ for 
randomizing the message M is a blind signature preprocessing function which is a one-way function, De* is 
40 a blind signature processing function, and He^ for removing the influence of the random number is a blind 
signature postprocessing function. This blind signature scheme can be implemented by employing either of 
the afore-mentioned Chaum's scheme utilizing the RSA cryptosystem and the schemes disclosed in our 
prior U.S. Patent Application No. 367.650 (filed June 19. 1989). 

The user 200 generates information Vi, referred to as user information in this embodiment, from the 
45 secret infonnation Si containing his identification information IDp as it is, and then he has the bank 100 sign 
the user information Vi through use of the blind signature scheme. The signed user information, i.e. DeA(Vi). 
will be refen-ed to as a license. The reason for using the blind signature scheme is to protect the privacy of 
the user 200 against the conspiracy of the shop 300 and the bank 100. 

Now, the procedure for the user 200 to have the bank 100 issue the license, shown in Rg. 6A, will be 
50 described more specifically with reference to Rg. 7A which illustrates functionai blocks of the user 200 and 

the bank 100. In the following description, i = 1 k/2. 

Step Si: The user 200 generates a random number aj by a random generator 203, which is input into a 
concatenator 204, along with the user identification information IDp. The concatenated output lOp II aj is 
input into a signature generator 218 to obtain 
55 gi = G (IDp I! a^) (26) 

Step S2: The output of the signature generator 21 8 is input into the concatenator 204 along with (IDp 11 
a;) to obtain the following secret information: 
Si = IDp II a; 1! g, (27) 
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. The secret. infomiation Si is -stored, in- a merho.ry :2T1: Moreover, k pairs bf prime numbers fPi, Qi) are 

produced by. a prime, number generator 201 -andMhe product Ni' of the^prirne hurribers Pi-and Qi are 

obtained by a 'multiplier •202*and is stored Jn the: memoi7 211.-;^ : 
v.. Step- S3:. A prime number U (a prime numbed .greater thari Sv'.for fexamE)Iey is gerieraTed-'-by a prime 
5 number generator 2^3 and the followihg user info^^ • . . . . ; 

Vi = Si"rn6dNi(28)-. .^.-: ..n . : - . .v.-... . • . 

is calculated by a.mpdulo power multiplier 205 from the prime- number U,' the- secret informatiori Si and the 
J .j^product Ni: Then the prime- number U and the user irifofmation' Vi kl-e stored in the rnemo?y:21 1. 
* ' Step Si: The. product Ni. the user information Vi and the prim6 number Li" are input iritd-a cdncatenator 
w : 206. and its- output IVIr = (Ni 11 Vi D. Li> and .the public key e^ for the generation of the- license are input into a 

blind signature preprocessor 207 to obtain the following ^ndbmized' user inforrhatibri*- • 

Wi = Foa (n . Mi) (29) 

The randomized user information Wi thus obtained is sent to the bank 100. The blind signature preproces- 
sing function FeA may be the same as that given by Eq. (t) of the Chaum'5^ seheiiie utilizing the RSA 

J5 cryptosystem or the function proposed in our prior U.S. Patent Application No. 367,650 (filed June 19 
1989). ■ - ■ . . , - , . . . : 

V Next, the barik lOa makes «e:user;. 200 disclose • the- k/2 sets-df infbrmationv{Si. m.- Pi; Qi, r,} after 
which..the bahic lOO ^follows the.:folIowing :prbcedure' to verify that the us'er 200 haS cbrfectly inserted his 
. Identification information I Dp in each secret information Si- and has correctly executed Steps S, through S* 

20 Step S5=: The batik 1.G0 selects, by- a random selector. 1 01 . k/2 different items ij at random from k items 
I; and.sends.to the:user:200 the set of itenosi/as a disclosure- demand U =• {\y\ j = i. k/2} For the sake 
of brevity, let. it -be .assumed that .the bank 100 .has :selected i = k/2+l; + k a^ tlie ^ij. AcGordingly. i 
- I....... k/2 are not the itemsiofdisclosurei . 1. . : . : 

■. Step Se : Upon receipt of the. disclosure dernapd: U from the bank' 1 00. the. user 200 disfeioses by a 
.25r. .disclosure; control 208. the k/2 sets of information {Si. Li.^ Pi. Qirn} specified by the- bank LOO: Here, n'is the 
. .3:; random number used in the blind .signature preprdcessihg function Foa for- the randomized ^usef information 
WI. . - , . • ;■ ■ • . . - 

Step S7: When i is the item of disclosure, that is. when .k/2 *1 .^j k. .the bank 1O0 checks whether the 
IDp Has been, inserted at a predetermined ..positioh:;in;Si. arid if yes..;obtains, bi^:a muliiplifert02. the product 
30.. Ni = Pi X Qi from the information {Si. Li. Pi. Qi..n} and ithen calculates -the following.user Information Vi by 
/ ; a modulo power calculator 405: ; . ■ ^ : .: :: ■:. ;;>;]:.:; . . v . r > u\ < .uy^w r 

Vi = Si" mod Ni : (30) , :-• .'i: '^'^ ^^1^^ \\ 

Step Sa : The.following value Wi'-is ir^alciilated . by a £bncatenatbr 1 04 and a blinrfv^ignaturenpreproces- 
sor 107 from the output Vi- of the mddulb power calculator -=105^ the received- Tandbm number- r* and the 
35:... public key Ba. - .. _ , . ^ . . . ^ ^ 

- Wi' =:.FeA'{ri'.(NillVii|:Li)>,. • . . .-. -nic.-r " ' . - 

Step Sg: The rvalue of the received , randomized user iriformatf6njWi ,and the value: Wi' are compared by 
a comparator 106. If they coincide, the user's demand is. accepted. :and if not., the liserfs demand is not 
. accepted .andrno further processing takes place, 
40; : , In this .way. the :bank;. too makes the above comparison for all. of the k/2 items" i and, when any one of 
comparison -results- shows? disagreement, discdnttpue-futther^processing. When all of. the k72 comparison 
results, are. found good. the. bank 1 00 performs the following signing procedure for the items i which are not 

the objects of disclosure (i = 1 k/2). : : . . . i . 

/.-oStep. Svo: The randomized user information Wr and -the secret :key dA foi- the blind signature of the bank 
'45: :.lOO .are' input into a: blind signature . generator 108. to. obtain signed-randomized usG^infoVm^tidn ni defined 
: . .by the:followirig:.equation: • v ... * •* . - • . . i - . • 

CIi/=:De^(Wi) v(3l):,.' . : . . >• ' ' ' 
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^ ; The signed- randomized user information Qi thus obtained is sent to the user 200. The function Dba is a 
signature funciioh of the bank 100 arid -may be the same as that given by Eq. (2) in :the- Chaurri's scheme 
utilizing the RSA cryptosystem. for instance. . • ; . , , 

■ .. Step Sii:- Havihg received the signed-randomized user, information ■Qi''from the bank lOOi the user 200 
calculates: the following equation (32).by a blind signature postprocessor 209 .from the signed^andomized 
user information Qi. the random number n used in the blind signature preprocessing (Step Si) and the 
public key eA. thereby removing the influence of the random number r, from th^ signed-r^domized user 
information Qii i ,1;,; ... 

Bi = HeA(rE , fli) (32) 

The function Hoa may be the same as that given by Eq. (3) of Chaum. The signed user information Bi thus 
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obtained by Eq. (32) satisfies the following equation (33) as is the case with Eq. (5) of Chaum. 

Bi = DBA (nni) (33) * 

Accordingly, the signed user information Bi obtained by Eq. (32) is equivalent to information obtained in 

such a manner that the message Mi = (Ni II VI II Li) containing the user information Vi has been signed 

5 directly by the bank 100 using the secret key dA corresponding to the public key Oa. The user 200 can use 
the thus obtained signed user information Bi as a license of the electronic coin as many times as he wishes. 

In the above, the Wind signature Qi is obtained for each of the k/2 pieces of randomized user 
information Wi in Step Sio and k/2 pieces of signed user information Bi are obtained in Step S^\, but it is 
also possible to perform processing for signing messages Mi Mk/a collectively as described below. 

70 Step Sio': F^or multiplex-randomized user information obtained by multiplexing ail pieces of randomized 
user information Wi of k/2 items i which are not the objects of disclosure, the bank 100 calculates one blind 
signature, i.e. signed-randomized user information, Q by the following equation (31 ) and sends it to the user 
200. 

Q = DeA (Wk.... Wh/2) (31 ') 
15 Step Sii': Based on the blind signature Q received from the bank 100, the random number o and the 
public key eA. the user 200 calculates the following equation (32 ) by the blind postprocessor 209, obtaining 
a single piece of signed user information B. 
B = HeA(rt , D) (32) 

The signed user information B thus obtained satisfies the following equation: 
20 B = DeA(M, .... Mw2 ) (33^) 

The functions DeA and Hoa by which Eqs. (3l'), (32) and (33) hold can be implemented by. for 
instance, modifying the afore-mentioned Eqs. (1), (2) and (3) in the Chaum's blind signature scheme using 
the RS A cryptosy stem, respectively, as follows: ... • 



25 eA 

Wi ^ FeA n X ni mod n 

a = DeA (Wr . W ) = (n^ Wi) mod n 



:(2 " ) 



30 



k/2 



35 



IfeA (r. , r ./2. )^Q/U^ Ti 
By determining the functions as mentioned above, the following equation holds: 



(nod n ' • • (3') 



40 



B=KeA {Dsa (Wi . Wk/z) . ri , ric/2 } 

k/2 k/2 d A k/2 

= DeA (Wt , - > HK/2)/n^ ^ (n^ Wi) /n^ r, 



45 



©A' dA 

Ca dA >e/2 Ti dA 



= r (Wi / r. ) =n;- (r, Mi) / r. =n,( - X«i ) 
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55 In the following description, equations in the case where the license, is composed of one piece of 
information B produced by the collective signature procedure as mentioned above, will each be referred to 
by a con-esponding reference numeral added with a prime, but procedures and functional blocks are shown 
only in connection with the case of using a license composed of k/2 pieces of information Bi. 
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Next, a description will be given of the procedure for the user 200 to have the. bank 200 issue the 
eiectrpnic coin. -'In, this procedure the user 200 cresites the authentication.Jnforrriatipn'.^ ,^ on the 
random infQrrn^tion Ri. concatenates. thereto the license Bi and uses it as Uie electronic coin^aft^r having it 
signed by. the bank i 00. Also in thi^. instance,, the blind sig nature. schenna- is. used!. At "lirs^^^^ 100 
.5 generates a pair of secret key cIa' '^nd pijbiic key to be used for the blind sign^^^ 

. corresponding to thp face, value of the electronic coin. . and makes the key,.eA . pubiic^Rg.-SB shows an 
example of the procedure to be t^ken. in this casQ between the bank 100 and th^ user 200.^'R3.. 7B shows 
block diagrams of the us^r 200 .and the-bank liOO. The. following description will be made oh the assumption 
■ • thati = 1. .:;,'k/2l" ■ ...V.V. " 

TO Step Si 2: Based on random, informatiqn H\ produced by a random generator 214 and parameter 
information Ni and U read out from the memory 211, the user 200 calculates by a modulo, power calculator 
215 the following authentication information: .■ 
Xi = Ri^' mod Ni (34) 

and stores the authentjcatiqn.Xi an tfie random information Ri in the memory 211. . . 
75. Step. Si 3: Fpr ail of i' j=^X- ...Vk/2, the authentication inforrnation Xi and' the license. Bi read out of the 
memory are concatenated together by a concatenator 21 6, and its output 
m = X, 0 llXwallB, 1! l|Bk,2 (35). 
or in the case of using ,the.one piece license B, . . 

m = Xi U 11X^2 OB^'* "(35) ' • ■ ' 7'. ■ 'V. 

is input into a bjjnd signature! preproeessor 21 7.. along with the public, key eA'cprrespdnding to the face 
' ' vaiue7c?t th^ electronic ■ coin' andVa". rand rp." thereby, cajqulating. randoririize'd.,' authentication 

information given by the following equation: . ' * . / 

Z = FoaVp. m) (36) ' ^ ^ ' - 

The randomized authentication infonmation thus obtained and information on the face value of the electronic 
25 coih, are sent- to the bank 100. . - . . . . 

Step Si4.: Having received the randomized authentication information z; the bank 100 inputs it and the 
secret key dA corresponding to the face value of the electronic coin into a blind signature generator 109, 
ftom which the following- signed-randomized authentication information is produced: 

9 = DeA'(Z) (37) • ^ - ^ — ' :r 

30 The bank 100 sends the signed randomized authentication information 9 to the user 200 and, at the same 
time, withdraws the corresponding amount of mpney from the account of the user 200 or receives payment 
of the amount of money concerined' from, the uder'20ff^^, ■ i;, . - ; : ^ 

Step St 5: Having received the signed randomized authentication information 9 from the bank 100. the 
user 200 inputs the randomizing random number rp used in the blind signature preprocessor 217. the 

35 information 9 received from., the bank. 1 00 and the public key Oa into, a blind signature postprocessor 219. 
by which the following equation 
C = HeAVp. 9) (38) 

which is stored in the memory 21.1. The result of calculation, of Eq. (38) satisfies the following equation 

HeA'(rp. 9) = DeA'(m) (39) " ' ' • 

40 That is, the electronic coin Q is equivalent to information obtained by applying the signature of the bank 

directly to the information m. f * ^ 

Next, a descrijDtion will be given of- the case where ti^e user '200 pays with the electronic coin C to the 

shop 30Q. Fig. 6C shows an example of the procedure to be performed between the user 200 and the shop 

300 and iFig^ 79 shows block diagrams of the shop 300 and the user 200. The following description wiii be 
45 given on the assumption.. that i = 1. ...^/}!J2. . . ^ 

• ^Step Sie: The user; 200 transmits to:*the shop 36o;;the electronic cojn C. tihe license Bi» the user 

information Vi. the adthentication information Vi and ^the parameter information -Ni, Li read out of the 

memory 211. 

Step Si 7: The shop 300 verifies the validity of tiie signature of the bank 100 applied to the message Mi 
50 - (Ni II Vi II Li) in \he license, Bi by digital signature verification equipment 31 9A tiirough use of the public 
key eA and the validity of tiie signature- of the bank 1 00 dpplied to im = -(Xi II • ILX^z il 81 II • • • II Btc^) in 
the electronic coin C by digital signature verification equipment 31 9B through use "of the public key Oa'- 
This is done by calculation or checking whether tiie following verification equations hold or not. If the 
signature of the bank iQp is not found to be valid,, then no further processing will be performed. 
55 (Ni B'vifl Li) = VFeA{Bi) = Bi^A^ > . ' "'^ ' 

P(t D'--MlXk/2 0'a; It •••ll.Bklz) = VF^^^ mdd'n ■ (41)' 

• or ' " ' " ■ • 
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Mi = VFeA {B} =B nod n • . . • (40') 

i = I 

5 

.( Xi 8 • • • 11 X k/a U B ) =VFeA' {C} = C^a. mod n (41 ') 

Step Sis: The shop 300 sends an inquiry qi including time t available from a timer 321, a random value 
number 71 extracted from a random generator 303 and identification information IDv of the shop 300 to the 
user 200 and demands a predetermined response based on these pieces of information. At the same time. 
;q the shop 300 calculates 

B = f (go = f (!0V. t , 7i) (42) 

by a one-way function calculator 322, using the above pieces of information. 

Step 819; The user 200 inputs the received identification information IDv, time t and random number 
value 7i into a one-way function calculator 221 . by which the same calculation f(IDv, t, 7;) as mentioned 
75 above is performed. Its output value B and information Si and Ni read out of the memory 211 are used to 
calculate y; = si^' mod Ni by a modulo power multiplier 222. Its output value y-, and the information Ri and 
Ni read out of the memory 211 are used to calculate Yi = y; x RI mod Ni by a . modulo multiplier 223. 
obtaining 

Yi = Ri • Si-' mod Ni (43) 

20 The user 200 sends- this Yi as a response to the shop 300. 

Step S2c: The shop 300 calculates yi = Vi^* mod Ni by a modulo power multiplier 304 from the output 
value B and the Information Ni and Vi previously received from the user 200. Further, a modulo 
multiplication of its result yj and Xi mod Ni is performed by a modulo multiplier 313 to obtain Xi x Vi^ mod 
Ni. On the other hand, the received Yi and information U and Ni are input into a modulo power, multiplier 

25 305 to calculate Yi*^ mod NI. and its result and the output of the modulo multiplier 313 are input into a 
comparator 306 to check whether the following equation holds or not 
Yi"^ 3 Xi • Vi^' (mod Ni) (44) 

If this equation holds, the shop 300 receives the electi-onic coin C as a valid one. 

Now, a description will be given of the settlement of accounts between tiie shop 300 and the bank 100. 
30 Rg. 6D shows an example of the procedure to be performed between the shop 300 and the banljcjOO. Fig. 
7D shows block diagrams of the bank 100 and the shop 300. 

Step Sai: The shop presents the information {Ni, Li, Vi. Xi, Bi, Yi, C, IDv, t, 7i} (i = 1. ....,.k/2) in the 
memory 311 to the bank 100 and receives a payment of the amount of money concerned. 

Step 822: Upon receipt of the information from the shop 300. the bank 100 verifies the. validity of the 
35 signature of the bank 10 applied to the information Mi = (Ni II Vi || Li) in the license Bi by digital signature 
verification equipment 119A through use of the public key eA and the validity of the signature of the bank 
applied to m = pCi || • • * II Xyg H Bi !l ' • • II 6^2) in the electi-onic coin C by digital signature verification 
equipment 119B through use of the public key eA . This verltication is done by checking whether Eqs, (40) 
and (41) hold or not In the case of using the one-piece license S. Eqs. (40') and (41 ') are employed. Only 
4Q when the validity of the signatures applied to the above-said information is confirmed, the bank 100 proceed 
to the next step. 

Step 823: The pieces of information IDv, t and 71 in the inquiry qi received from the shop 300 are 
provided to a one-way function calculator 112 to obtain its output value B = f(IDv, t Ti). Yi'-' mod Ni is 
calculated by a modulo power multiplier 113 from the pieces of information Yi, Ni. and U-. Vi^ mod Ni is 
45 calculated by a modulo power multiplier 114 from the pieces of information B, VI, and Ni. Moreover, Xi*Vi^' 
mod NI is calculated by a modulo multiplier 115 from the output of the modulo multiplier 114 and the 
pieces of information Ni and Xi. Then the outputs of the modulo power multiplier 113 and the modulo 
multiplier 115 are input into a comparator 116 to check whether the following equation holds or not 
Yi^sXrVi^' mod Ni) 

50 Step Sa*: When the information received from the shop 300 is found good as a result of the above 
verification, the bank lOO stores the information {Ni, Li. Vi. Xi. Bi, Yi. C. IDv. t 71} (i = 1. k/2) in a 
memory 111 and pays the amount of money concerned into the account (IDv) of the shop 300. 

Although the above embodiment has been described with respect of the system utilizing the authentica- 
tion scheme with the interactive proof system based on the difficulty of the calculation of higher degree 
55 roots (Japanese Pat Appln. No. 36391/88), a similar system can be implemented as well by use of other 
authentication schemes with the interactive proof system. 

Incidentally, since the authentication scheme with the interactive proof property satisfies the require- 
ment of soundness property (the property that when two correct Yi are obtained for the same pair of user 
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information Vi and authentication information Xi; the secret information Si corresponding to the information 
Vi can be caiculafed)', the identification- 'informatiori^ I Dp of the' use'r^will be revealed, if he uses the same 
electronic coin twice or more. In other words, if the user uses the electronic coin twice fraudulently, two 
pairs of information (B, Yi) and (Ei'. Yi') which satisfy the verification equation (44) are obtained for the 
5 same pair of information Vi and Xi as in the case described previously in the first ..ernbQdiment with 
reference to Fig, 2D. Consequently, the following equation holds: . ' . , _ . 

\(^y^'yi^-mdd Ni) C ' ' < V -.^nr^. ' - 

• frdrh which the;tellovving ^e^ \ . . . 
(YiA^iVs^Si^*-^ <nhbd nI) ^ - ^ - ■ - : ■ -^ 

to On the other hand, Si"-' = Vi mod Ni holds. Here, U is a prime number and this Li: and. B-Ei' a^^ mutually 
prime, so that the secret information Si can be calculated. ^ Since the ^secr^^ contains the 

identification infonmatibh ibp'bf tihe user*'20p in "the 'raw form, it is possibie.tp specify the user who used the 
' ^iebfronid cbin fVaudulehtiy,' ' ; ' ..... \ . . , . 

* As described atbove in detail, the second. ;emBq$ ^Iso possesses the .f?a^^^^ the 
75 'privacy of the user and {b]( detedtihg double 'usag^^^^ as. is the case, with the first 

bmbbdimerrt. Since the blind signature schb^ (a), it is pps.sit)!^ to. rnaintain the 

' ' ' pn\/acy of tPiie'User such as his propensity to consume. Fdr'the "feature (b), when the electronic coin is used 
twice or more, the secret information used for creating the license is . revealed owing to the property of the 
authentication scheme with the interactive proof property. ' ....... 

20 Incidentally, the issuance of the licen;^e irivdlve^ the procedure in which the user, s.ends k pieces of 
iriforrfiatidn \h/i-= to ahd the bank selects k/2 pieces of the information Wi .'^nd rnakes. the user 

disclose k/2 sets of piu-aril^ters Usdd for generation^ 6f the selected Ic/2 pieces., of Infprmat^^^^ Wi. This 
imposes a larg^ burden ■dh 'ft'e' process^ In the present ihventipri, however,' this prpcedure is required 
ohiy when ; th^ user opeh's fi'is 'account at the bank. In contrast thereto, the frequency of the^. p.rocess for 
25 Issuing 'the e'lecti^onic 'coin is cdhsidefed to be relatively high, but its proc^ssiiig' basicaiiy involves only one 
blind signature generating procedure, arid hence the burden of . this prpcedure is small. : In the first 
embodiment, however, since the license and the electronic coin are integrated into electronic cash, it is 
necessary, for each issuance of the electrdriic cash, to perform the procedure in which .the user sends k 
pairs of information (Wi. 2i) to the bank and the bank selects k/2 pairs from them and makes the user 
30 ' disclose th'^ cbnrespohdirig parameters. The burden of this procedure is large, 

As described above, ^acpprding to ihe. second embodinrient, the electronic, Coin C cari .easily be issued at 
kny time lisihg the' license Bi (i = 1. lo^2) or S issued, in advance, by the bank. .The , eiectronic coin 
according to the scheme of the present invention^ in whYch' the license and the electronic, coin are issued 
separately can be used" rhore cohveniehtly in several rhaririers. First, the electronic coin can. pe, transferred 
35 ' to other Users; second, the 3ame electronic coin can 'be used many, times; third,, the. electronic cojn can be 
transferred to other usdrs and used rnahy tirhes. A dpseriptiph will 'be^giyen of the electronjc . coin which 
possesses these functions In the second embod^ V. V 

[Transfer of the Eiecti-dnic fioiiril 

The' foHbwirii§| desbriptfori wiii be rnade in connection with the case vyfiere a .first user .2Qba;transfers to a 
second user 2i00b the electronic cbih C issued following the "procedure shpvyn in Rg. BB. A^.surrie. in this 
case; that the 'u^erV2pbb also has th§ license obfainisd'Jrprn the bank i 00 by the same procedure, as is the 
case with the ij'ser 26oa. Fig. 8A sihows ^ exannjplb'of the proceduris between , the lisers 2Qda.. and ''200b. 
ftg. 9A iiiu^trates theli* blocff diagtarhs.' in the following.' i;= 'l , 2. ...vk/2. arid variables with " on| symbols 
aire related tb the second user 2dOb who is'the tfansfk^^^ of each variable is,. tfie'same as 

that defineci previdugly.'ii'nless sp^ btherwise. ' " ' ' ' ' ' ' . . . ^ 

Step Si : The first user 200a transmits to the second user 2p0t). the jicense di or B ' the electronic coin 
C. the Us^r irifbrfriatibri^ Vi; the authenti(:atioh infbrniatioh Xi and the 'parameter inWmatipn/Ni..a(!d U read 
out of the mertiory 21 1 . ' ... . 7,. 

Step" S2: the second user 2d0b verifies the validity of the signature of' the bank applied to.the message 
Mi* = (Ni ll;Vi II Li)'iri the license 6i by digital signature verification equip^^ the basis of the 

public key 4a afi'd'the validity of the signature of the bank appiied 'tb ,iTi , .== '(Xi Jl • II X^/a .1 B.i 1) • * * Bk/a) 
in thb' electrdhid coin C by digitar sigriatu re verification equipment 5198 oh the basis . of the. public key eA^ 
This verification is performed by checking^whether or not the following, verification equations. (45) and (46) 
hold, by caiciil^tipri: In the* case of the 6ne-piece license B is effected using, the following 

equations (45 j arid (46 ). If the Signatures of the ban1<" are* found invalid, then ho further processing will take 
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place. 

(Ni II Vi II U) = VFeA {Bi} = Bi«A mod n (45) 

(X, II fl Xw2 II Bi D • • • II B^) = VFeA' {C} =C*a, mod n (46) 



rf fli = VFeA (B} =B modn ' • - ' US') 

i « I 

'° X, II II Xk/2 II B) = VFe/ {C} =C^A, mod h (46') 

Step S3: To make sure that the received user information Vi and the authentication information Xi 

belong to the user 200a who is the transferor, the user 200b sends to the user 200a, as an inquiry, a value 

6i available from a random generator 503. 
75 Step S*: The user 200a calculates Si^' mod Ni by a modulo power calculator 222 on the basis of the 

received value €; and the information Si and Ni of his own read out of the memory 211, and calculates 

Yi = Ri'Si^i mod Ni 

by a modulo multiplier 223 on the basis of the output of the modulo power calculator 222 and the 
information Ri and Ni read out of the mernory 211. Then the user 200a sends the value Yi as a response to 
20 the user 200b. 

Step Ss: The user 200b inputs the value and the received information Vi and Ni into a-moduio power 
multiplier 504 to calculate - 
Vi^i mod Ni ■ - 

and inputs the calculated value, the received authentication information Xi and received Nilnto'a modulo 
25 multiplier 513 to calculate 
Xi*V«i mod Ni. • 

On the other hand, the received pieces of information YI, Li and Ni are input into a modulo power multiplier 
505 to calculate 

Yi" mod Ni " 
30 and the calculated value and the output of the modulo multiplier 513 are provided to a comparator 506 to 

check them for coincidence. If they coincide, the user information Vi and the authentication information Xi 

are determined to be valid. ^ ^ _ 

Step Se: The user 200b who is the transferee sends his license §1 Bic/z (or B) to the 'user 200a to 

have the transferor 200a sign the licenses. 
35 Step S7: The transferor 200a signs the received license Bi Bwa (or B) by signing ^-equipment 233 

which calculates a digital signature function of the following equation (47) or (47"), for example, and then 

returns to the user 200b the signed license as a deed of transfer T. 

T = (B; II • • • II Bwa)*'^ mod Ni (47) 

T = §''3 mod Ni (47) 
4Q In tine above, Ni assumes a value for predetermined item i in the range of 1 S i S k/2. 

Step Ss: The user 200b inputs the public key Ni of the user 200a and the received deed of transfer T 

into digital signature verification equipment 519C to verify the validity of \he deed of transfer T by checking 

whether the following equation holds or not. In this instance, Ni is a value for thie above-mentioned 

predetermined item i. 
45 (§1 a II Bk/2) = T3 mod Ni (48) 

§ = T3 mod Ni (48') 

When the validity of the signature of the user 200a is found good, the user 200b receives the electronic 
coin C as a valid one. 

Next, a description will be given of the case where the user 200b makes payment to the shop 300 with 
50 the electronic coin C transfen-ed from tiie user 200a. Fig. 8B shows an example of the procedure between 
the user 200b and tiie shop 300. Fig. 98 shows their block diagrams. In the following, i = 1 W2, 

Step S9: The user 200b transmits to the shop 300 the received inforrnation group {Ni. Li, Vi. Xi. Bi. Yi, 
C. T} read out of tiie memory 511 and an information group {Ni. U, Vi, Bi. of his own also read out of 
the memory 511. 

55 Step Sio: The shop 300 verifies the validity of the signature of the bank 100 applied to (Ni II Vi II U) in 
the license Bi of the user 200a by digital signature verification equipment 31 9A using the public key eA and 
tiie validity of the signature of the bank 100 applied to (Xi II * II X^a I Bt II • • • II 8^2) in the electronic 
coin C by digital signature verification equipment 3198 using the public key eA . This verification is 
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performed using the afore-mentioned Eqs. (45) and (46).,. In. the case of usipg the one-piece license B. Eqs, 
(45 ) and (46 ) are used. Further, the shop 300 verifie? the validity of the' signature of .tha'user ^pOa applied 
to (Bi [I • D Bwa) in the deed of transfer T, by digital signature verification equipment 31 9C following the 
afore-mentioned equation (48). In the case of using the one-piece license B. Eq. (48 ) is employed. 

s Step Sn: Moreover, the shop 300 inputs the received pieces of information 6i, Vi and Ni into a modulo 
power calculator 314 . to calculate Vi^' mod Ni and; input? the calcuiated qutput arid the received pieces of 
information Xi and Ni into a modulo multiplier 313 to calculate Xi'Vi^* 'mbd.Ni; On the other hand, the 
received pieces of information Yi, Ni and Li are provided to a modulo power calculator 31 5 to calculate Yi*^ 
mod Ni and then the calculated output and the output of the modulo multiplier 313 are input into a 

10 comparator 31 6 to check whether the following equation hplds or .not, -.-i.^ - ■ 
Yi'^:a Xi • Vi^i .(modNi) (49) / • 

-If this equation holds, then jt is determined that the repeiy.ed pi^ce^. of information Vi and Xi.are those of the 
user 200a. , . . . 

Step Si 21. Furtherrpprev the. shpp 30Q. verifies the valjdity of the signatiir^'pf the bank 100 applied to Mi 
75 = (Ni II Vi II Li) in the license Bi of the user 206b who i? -ithe^ transferee. This verifjcaidor} is. carried out by 
digital signature verification equipment 319D using the public key Ca, in./accordance.; with, the following 
equation (50) similar to Jh?, afore^^mentipned equation (45). In the. case of u^ing the one-piece license B, the 

following equation (50.) js^mplqy,^^^ • : . . w ■ • 

(Ni 0 Vi II D) = VFeA {Bi}'= BfA^mod n (50) ' ' ' " ' ' ... ; 



fl^ Mi =VFeA^^{'B} =t^'nod ft ^ ^ - 'r ^ • • - (50*) 

25 

When the signature of the bank 100 is found invalid, the processing is discontinued.- . 

Step Si 3: To identify the user information Vi of the user 200b who is the transferee; the shop 300 sends 
. to the user 200b, as an inquiry qi, time .t available from a timer 321,' a value -yj from a random: generator 303 
30 an d the : identifie.at!p.n ; inf.Gr;rn ati.o.n IDv . of the shop ; GOQ;- At .the . same; time , these pieces of i nf orm ation 1 Dv. t 
and y\ are provided to a one-way function calculator 322 to calculate Ei - f(qi),: = .f(IDv.' t. yi), 

Step § j ♦ i: ;T!;ie,5 user 2Qpb,. inputs ;t(;!e received , pieces of .information - (Qy . t and y\ into a.one-way function 
calculator 522. Its output value Ei = f(IDv, t, 71) and pieces of information Si and Ni, of the user 200b are 
prpyided; to a- modulq power caleulatpr .523 to calculate Si^ mod. Ni. Further, the calculated result and 
35 pieces of information Ji. anci Ni read out of the memory .5.1 1 are jnput into a modulo multiplier. 524 to obtain 
Yi = ?i • S mod Ni (51) . .. : . . . .-V , * 

The value Yi thus obtained is transmitted as a response to the shop; 300. - - *■ 

Incidentally, % is a value which satisfies the relation of the following e.quation ; (52), and it is calculated 
after the transfer.of the elestrpnic coin G from the ;user 20pa and is stored ia^ •;; 
40 5i = Xi '-modiNi -, (52)-... r s . [■ Jo';: "';'-V-'r 

Herei ,1/M .is an inverse, element as an eyppnent xonippne.nt Li in. mod NI- and sa.tisfi^^^ following 

equation:- ■; , '.)\r, ^ . :■■ . - - ■■, , . ^; r 

(1/L)i 0 = 1 mod LCM {Pi • 1) , (Qi - 1) } (53) ' " ^ . ' . , / , - 

The value 1/0 is calculated by an inverse calculation from Pi, Qi and.Liiv - . ^ 

Step St 5: The shop 300 inputs the output value Ei of the one-way ^ifunction/icalQulatpr. 322 and the 
received, pieces of- information iVi and;Ni intp a mpelulq power, caioulator: 304 to :Gal^ Ni and 

inputs the calculated result and the pieces of information Xi and Ni into a TOdqlo multiglier r3l3 to obtain 
Xi.'Vi^ mod; Ni'. Gn the other hand, the received response Yj and thie pieces of information Ni and 0 are 
applied to a moduIo-pQwer calpulatpr 3p5/t0;CalG.ulate;Yi-;: ' mod N|, ap.d the. calculated :resuit.an.d^. the output 
50 of the modqlO : multiplier 313 .gre inpgt into: a cooiparator 306 to check- vyjiethec the following, equation holds 

or not ■•■^0- ■ ■ ■ : . ■ v . ... -v.; . ;. - = ; , r,-^, . ^ u ^ ;j 

. Yi^.' r Vi?! (mQd:Na ..(54) : ; . ! . '•■ ''y..- 

When the response Yi is found valid, the shop 300 determines that the response Yi; tDeiqng^ }o the user 
' 200b. who/is the tMnsferee. and receives the elec^ . .. o 

55 . : As described;aboYe,.in §tep.Si4 t.he,;user 200.b. prod.uces the response;?! .of -Eqj.: ;(45),-usi^^ fi given by 
Eq. (52).. Which is;a furi;ctip;n of -^Xi; instead of using th:e ;random information -Ri of the^user 2p0b .Inimself , and 
consequently, the; authentication! information -Xi of. the use.c. 20Qa. can be, .emplpyeid, fpr the calculation of the 
verification equation (54) in Step Sts which is performed by the shop 300. In other words, the user 200b 

18 



BNS0OCID:<EP 0391261A2> 



EP 0 391 261 A2 



who uses the transferred electronic coin needs not to present his authentication information Xi to the shop 
300. 

Next, a description will be given of the settlement of accounts between the shop 300 and the bank lOO. 
Fig. 8C shows an example of the procedure between the shop 300 and the bank ^00. Rg. 9C illustrates 
5 their block diagrams. 

Step Sig: The shop presents to the bank 100 an information group concerning the user 200a. {Ni. Li. 
Vi, Xi, Bi, Yi. C, T}, an information group concerning the user iSOOb and the shop 300. {Ni, U. Vi, Bi. Yi, €i, 

IDv, t, 7i}. read out of the memory 31 1 (i = 1 k/2). 

Step Si 7: The bank 100 verifies the validity of the signature of the bank applied to (Ni II Vi II Li) in the 

10 license Bi of the user 200a by digital signature verification equipment 119A using the public key Ba and the 
validity of the signature of the bank applied to p<i [j ... II Xn/2 II Br II ... D Bic/2) in the electronic coin C by 
digital signature verification equipment 11 SB using the public key Ba • This verification is performed 
following the afore-mentioned Eqs. (45) and (46). Moreover, the bank 100 verifies the. validity of the 
signature of the user 200a applied to (§1 fl ... 0 By/z) in the deed of transfer T by digital signature verification . 

;5 equipment 1 1 9C, following the afore-mentioned equation (48). In the case of using the one-piece license B. 
the verification is performed using Eqs. (45 ), (46 ) and (48 ). 

Step Si a: The pieces of information eu Vi and Ni are input into a modulo power calculator 117 to 
calculate Vi^ » mod Ni, and the calculated result and the pieces of infonnation Ni and Xi are provided to a 
modulo multiplier 118 to calculate Xi*V(^i mod Ni. On the other hand, the pieces of information Yi, Ni and 

20 Li are input into a modulo power calculator 103 to calculate Yi^ mod Ni, and the calculated result and the 
output of the modulo multiplier 118 are applied to a comparator 106 to check whether or not the following 
equation identical with the afore^mentioned equation (49) holds. 
Yi'^ = Xi*Vi^i (mod Ni) 

When this equation holds, it is determined that the pieces of information Vi and Xi are those of the 
25 transferor 200a. 

Step Si 9: The validity of the signature of the bank 100 applied to (Ni II Vi II 0 in the license Bi of the 
transferee 200b is verified by digital signature verification equipment 119D using the public key Ba- For this 
verification the same equation as Eq. (50) is used. In the case of using the one-piece license B, Eq. (50 ) is 
used. Further, the pieces of information IDv, t. 71 of the inquiry qi are input into a one-way function 

30 calculator 1 1 2 to calculate Ei = f(IDv, t ^i). The output of the one-way function calculator 1 1 2 and the 
pieces of information Vi and Ni are provided to a modulo power calculator 1 1 4 to calculate Vi^' mod NT", and 
the output of the modulo power calculator 114 and the pieces of information Xi and Ni are input Into a 
modulo multiplier 115 to obtain Xi*Vi ^' mod F3i. On the other hand, the pieces of information Yi. Ni"ahd Li 
are input into a modulo power calculator 1 13 to calculate Yi mod Ni. The outputs of the modulo multiplier 

35 115 and the modulo power calculator 113 are applied to a comparator 1 16. wherein it is checked whether or 
not the following equation which is identical with Eq. (54) holds. 
Yi Lf^Xi-V^' (mod Ni) 

When this equation holds, it is determined that the information Vi is the information of the transferee 200b. 
Step S20: When the foregoing verifications are passed, the bank 100 stores the information group of tiie 

40 user 200a, {Ni, Li, Vi, Xi, Bi. Yi, C, T}, and the information group concerning the user 200b and the shop 
300. {Ni, 0, Vi. Bi, Yi, c;, IDv, t, yi}, (i = 1. .... k/2) in the memory 111 and pays the amount of money 
concerned into the account IDv of the shop 300. 

If the user 200a who has transferred the electronic coin as described above uses it twice fraudulently, 
then two identical pairs of information (Vi. Xi) exist as described previously, and consequently the double 

45 usage of the electronic coin is detected by the bank 100 in the procedure shown in Rg. 2D and the user 
200a is identified. On the other hand, in the case of detecting double usage of the transferred electronic 
coin by the transferee 200b» the bank lOO needs only to make a check as to whether or not a pair of 
information of the same value as the received pair of information (Vi, Xi) is present in the memory ill. if 
the pair of information (Vi, Xi) of the same value is found, the secret information Si of the user 200b can be 

so calculated by the following equation, using the pieces of information Yi, Li and Ni corresponding to the 
stored pair of information in the procedure shown in Fig. 2D. 
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(Repetitive Use of the Electronic Coin] 

. Nov^ra description. be given of a rnethod by which tiie user 2ppTepeMvely uses the eieptronic coin 

obtained by the procedure of Fig. 6B in the second embodiment the following wll! describe the procedure 
.5 . for the j-tii use of the electronic. coin ..wijjich. the user. 200 is. allowed to use.K time$ {j S.K). This is applicable 
.to.eitlier of The case,s>of .transfer to another user 20,6 and payment to the shpp 'sOfl.. but the. p.rpcedure will 
be described in connection with the case , of payment to the shop 300. Fig. 10 shows an* example of the 
procedure to be performed :betAreen. the user 200 and the shop 300. and ^g.,l l illustrates them in block 
form.Jn the.foHpwing.J. =, .l..,,.,,.k/2, . 
10 Step Sr. the user 200 transmits an information group {Ni, Li. Vi, Bi, Xi,.C}. read out of the memory 
211. to the. shop 300. . ... 

, Step S2:.The shop 300 .verifies the validity of the signature of the barik 100 applied to (Nt 0 Vr II Li) in 
. ^ the license 8i of the iiser. 2b6a by digital, signature verification equipment 31 9A using the. public key and 
the validity, of the signature, of the bank applied to {Xi ( ... U Xn/a II Si Ij ... |I Bi^a) in the. electronic coin C by 
75 digital signature verification equipment 3198 using the public key e^ . this verification is performed 
.following Eqs. (40) and ,(41)..ln the. case of .gsing the one-piece license B, Eqs. (40 ) and (41') are used. 
. When the signatures qjf. the bank iOO are not valid,, the. procedure is discontinued. 
. . Step S3: The shop 300 sends to, the user. 20p, as ah. inquiry qi. time t available from! a timer 321, a 
. random value, 7i from a random generator 303. and. the identification information. I Qv of the shop 300. At the 
. , 20 . same time, these pieces of information . are applied to a one-way function .caiculatpr 322 to calculate Ei = f- 

:(qi) = f(IDv. t, 7i). ' ^-.v /r'; ■ : . : .• ^ 

Step Si: The user 200 applies the "received pieces orinfbrmation IDy, t and 71 .to .a oner^ay function 
calculator .221, ^nd provicjes. its output values Ei;. == /jjipv, t, and pieceis of information Si and.Ni, read out 
of the memory 211. to a modiilo power caiculator 222. wherein Si^"' mod Ni is calculatecj. the output of the 
25 modulo power calGulatpr 222. the informatipn Ni. and information ^t^'^f described laterarV-inpyt'into a "modulo 
multiplier 223:to. obtain; ... .'^vr '^j-.^ '.^^^^^^^^ .. 

Yi a ti'^i* •^^Si^'mod Ni. (55)/ ' " ^ ' \ '. 'r^ir.'.!.^ 

. . theri the user, 200 transmits .Yi and j as a respons^: tp.the inquiry: qi.. Here,' is a.yaluQ .which satisfies 
the foilowing relation, and it is precalculated by a modulo- power calculator 253 and' may be. stored in the 

|. $0.. .jnemory. _ . .. , 

. : ^.fj (Xi)"" mod Ni . (56) . ^ ' ' ' ' ! 

; i> wiiere l/U Is an. inverse element Li as . an exponent.. com pgnent in rood Ni. vyhich. satisfies' th^ following 
equation; ,. . . ■ _ .- ' ^ . .:, ' . ' 

(l/U) X Ua l^mod.LCM {(Pi^l) .(Qi-l)y^ . ; 

35 The pieces of information Pi. Qi arid. Li are read put of the niempry^2il,^and appli to anjnyerse element 
calculator 252 to calculate the value 1/Li. the function f,-(Xi) of Xi" is a one-way . function which uses, as a 
parameter, j and is, implemented by a one-way function calculator 251. in suc.h a brm as shpwn below. 
. ..,Here, assume that f is a suitable one-way function. , ' . , 

, . . 40 ; Step Ss: the.. shop- 3Q0 inputs the received j.and >ti, rread put of the memory 31,1, into a one-way 
function calculator 350 to calculate a function f^QCi) simiiar to that .given .by ..Eq. (SQj using' the j as a 
parameter. .The . output . value. Ei of the one-way function calpulatpr 322 and the received pieces of 
information Vi.^nd Ni are applied to, a rnodulp. power caiculator i304. to calculate Vi^' mod.Ni. and the output 
; of the onerws^y fu.nctipn calculator 350, the output of . the modulo power caicuiator 304 arid the information 
45 Ni are input into, a .nriodulo multiplier 313 to obtain iFj(Xi)' Vi^' mod NL Moreoyer.:the, pieces,. of info Yi. 
; Ni and U are; provided, to a mpduip power caicuiator 305 to, caiciilate Yi^ nnbd Ni. The outputs of the modulo 
; . . ;power,-GalcMlator-305 .,and.ifie .mod iTitiitipIier .313 are applied ip. a comparator. 306/ thereby checking 
whether the following equation holds or not 
. ,_>q!;|sfj (Xi) • vi^(mod , . ' . ' . /„ 

so If this equation holds, then the shop 300 judges; that. the user 200 has correctly generated the. response Yi 
by use of the secret information of his own, and accepts the electronic coin as valid and receives it 

The procedure to be performed between the shop 300 and the bank 100 and their functional blocks are 

f , substantially identical' .With thos6 shown in Rgs.' 60 .^nd 7ip, respectively, and hencp their detailed 
description wilt 'not be given. Only the difference from th'e procedure of Fig. 6D is that the information sent 

55 from the shop 300 to the bank 100 in Step S2i in Fig. 6D must further contain the number of use j of the 
electronic coin. In the case where the bank 100 detects invalid double usage of the electronic coin, it is 
checked whether a set of information (Vi, Xi, j) of the same values as the set of information received in Step 
Sci of Fig. 2D has already been stored in the memory 1 1 1 (where 1 ^ j 5 k), and the subsequent steps are 
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identical with those Scs through Scs. That is, when two sets of information (Vi, Xi, j) of the same values exist 
for the same coin C. two sets of other information (Ei. Yi) and (Ei , Yi ) of different values exist 
corresponding to them, respectively, and consequently, the corresponding secret information St can be 
calculated as described previously. Since the secret information Si contains the user identification informa- 
5 tion IDp, the user 200 of double usage of the electronic coin can be identified. 



[Transfer of the electronic Coin as the j-th Use] 

70 According to the second embodiment, it is possible to combine the afore-mentioned transfer of the 
electronic coin and its plural use. 

Now, a description will be given of the case where the user 200a transfers the electronic coin C, as its h 
\h use. to the user 200b and the latter uses the transferred eiectronic coin for payment to the shop 300. 
Fig.. 12A shows the procedure to be performed between the user 200a who is the transferor and the 
15 user 200b who is the transferee, and Fig. 13A illustrates their functional blocks in such a case. In the 
following, i = 1 . .... k/2. 

Step Si ; At first, the transferor 200a reads out of the memory 21 1 the information {Ni. Li, Vi. Bi. Xi. C} 
that he has, and transmits the information to the transferee 200b. 

Step Sa: The transferee 200b verifies the validity of the signature of the bank 100 applied to Mi = Ni II 

^ 20 Vi 3 U or (Ml Mk/a) in the license Bi or B of the transferor 200a by digital signature verification 

/ equipment 519A using the pubiic key Ba and verifies the validity of the signature of the bank 100 applied to 

Xr II ... li Xw2 i Bi 11 ... U Bic/a or Xi II ... 9 Xk/2 I! B in the electronic coin C by digital signature verification 
equipment 51 98 using the pubiic key eA . In this instance, the afore -mentioned verification equation (45) or 
(45 ) is employed for the former verification and the afore-mentioned verification equation (46) or (46 ) is 
25 employed for the latter verification. If either signature is found invalid, then no further processing wiir be 
performed. 

Step S3: The transferee 200b sends, as an inquiry, the random number ej from the random generator 
503 to the transferor 200a. 

Step S*: Tne transferor 200a inputs the received random number e,- and the pieces of information Si and 
30 Ni of his own, read out of the memory 211, into the modulo power calculator 222 to calculate Si^i mod 
NI. The output of the modulo power calculator 222 and the pieces of information Ni and ^i'^j^, read out of 
the memory 21 1 , are applied to the modulo multiplier 223 to calculate 
Yi 3 • Si^i mod Ni. 

The output Yi of the modulo multiplier 223 and j are sent as a response to the transferee 200b. Here. "^-^^^ 
35 is the same as that described previously in respect of Fig. 11, and which satisfies Eqs; (58), (57) and 
(58) are precalculated and prestored in the memory 211. 

Step Ss: The transferee 200b input the received j and the information Xi. read out of a memory 511. 
into a one-way function calculator 521 to calculate the same function fj(Xi) as given by Eq. (58) using j as a 
• > parameter. On the other hand, the random number ei from the random generator 503 and the received 

40 pieces of information Vi and Ni are provided to a modulo power calculator 504 to calculate Vi^' mod Ni. 
and the output of the modulo power calculator 504, the output fj(Xi) of the one*way function calculator 521 
and the information Ni are applied to a modulo multiplier 513 to obtain fj(Xi) Vi^i mod Ni. Moreover, the 
received response Yi and the pieces of information Ni and Li, read out of the memory 511, are applied to 
modulo power calculator 505 to calculate Yi"-' mod Ni. The outputs of the modulo power calculator 505 and 
45 the modulo multiplier 513 are provided to a comparator 506, thereby checking whether the following 
equation holds or not: 
Yi^ = fj (Xi) • Vi« i (mod Ni) (60) 

if this equation holds, the transferee 200b judges that the transferor 200a has correctly generated the 

response Yi based on the secret Si of his own. 
50 Step Ss: Then the transferee 200b reads out his pieces of license Bt, .... §^2 (or B) from the memory 

51 1 and sends them to the transferor 200a. ^ ^ 

Step S7: The transferor 200a applies his signature to the received pieces of license Bi B^^ (or B) by 

use of signing equipment 233 which calculates the digital signature function of Eq. (47), for example, and 

sends the signed license, as the deed of transfer T, back to the transferee 200b. 
55 Step Ss: The transferee 200b input the public key Ni of the transferor 200a and the received deed of 

transfer T into digital signature verification equipment 51 9C to check whether Eq. (48) holds or not. In the 

case of using the one-piece license B, the check is made using Eq. (48 ). When the verification equation 

holds, the transferee 200b accepts the j-th coin as an invalid one. 
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Next, a description wil! be given of the case where the transferee 20db pdys with /the transferred 
electronic coin C to the shop 300. Rg. 12B shows ari exam file of the procedure to be performed between 
■ th^ user 200b arid the shop 300, and Fig.. 138 illustrates their functional^ blocks in such, a case. In the 
foiloWihg. i =^ i , J., k/2; .. .... 

s Step Sg: The user'2dbb r4ads out the i-eceived ihfbrrnation group {Ni, U, Vi, Xi. Bi. Yi, C. t, j} and the 
information group {Ni. U, Vi. Bi, e;} of his own from the memory 511 and transmits them to the shop 300. 

Step Sio: The shop 300 verifies the validity of the signature of the bank 100 applied to (Ni II Vi II Li) in 
the license Bi of the transferor 200a by the digital si'gnaturie verification equipmeht 319A usifig the public 
key and verifies the validity of the signature of the bank 100 applied to (Xi II ... 11 Xwz fl Bi 0 ... \l Bwa) in 
id the eledtrdriic coin C by the digital Siignature verification equiprfient 319B using the public key e/. For the 
verification of the signatures. Eqs. (45) and (46) are used, respectively. In the cdse of the one-piece license 
B'. Eqs. (45 ) and (46') are used. Moreover, the validity of ihe signature of the transferor 260a applied to (Bi 
*fl II Bwz)' in' the deed of transfer T is Verified by the dipital signature verification equipment 319C following 
Eq^(48). Irf the ckSe'oMhe ohe-pie^^^ - . 

' rs Step Si i: Further^rnore.'^lhe '^hop '300 inputs the re^:ei\/ed jDieces of infOnnnation ei, Vi arid Ni irito the 
modulo power calculator 314 to calculate Vi^ ' mod Ni, and applies the output ofjhii modulo power 
cdlctjiafor 314 arid the received *pi4c^s' of iriforriiatidn Ni"'arid )Ci io thW rnbduid nriUltiplier^3 to calculate 
Xi'Vi^i mod Ni. On the other hand, the received pieces of iriforrriatioh' Yi.' Ni and Li are provided to the 
" \ '''modulo pbwfer calculator 315 to calculate yi^' mod Ni/ ^nd the output oif the rtiodUlo pbWdr calculator 315 
' • ib' "'and' the' butpu^^^ of'fhfe; *f\odulb mijitiplier 313 are input Into the-cbhpara(tor 316 tb'theck whether the 
' ' ' ' following equation hbid^^^ . . . . ; 

' -' =Yp3'Xi>- Vi^'^'^ trnSd^^ ^ .^-'^ : ' '" "" ' 

''' If this ^quatibK holds; then; the ihop 300 jud^^ ihfbrmatioh Vi and Xi'are those 

' of the trahsferor2bM'' ' ; ' ' ' '' , : . . = ; 

* ■is" 'S^^ S12: fol6red<^er, the s^hbp '366' verifies the validity of the sighaiiire of the bank' i Ob* afD'plied to' (Ni II 
Vi II D) in the . license Bi of the user 200b . by the digital signature verification equipment 3190 using the 
public' key e'Al if^or this verification the' same Equation as Eq. (50) is used. Iri the case' oif the one-piece 
license B. the verification is carried out using the same equation as Eq. ('5o'). When the Signature of tiie 
" bank i 00' is found invalid; the prbcess^^ ' 

30 ^ Step Si3:,Tb verify the validity of the user infbitnation Vi df the transferee '2'OOb. the shop 300 sends to 
the user 2006. as' ah 'ihquiry ql,' the output t of the timer 32i; thfe randoni riumNr 71 from the random 
generator 303 and tiie iden&fitktibh ihforrhMbh'^^ ffi^ of ' the' shdp 300. At the same' ifihie; ' the pieces of 
information IDv, t and 7; are input into the one-way function calculator 32^ to calculate Ei = 'f(qij = f(IDv. t, 

35 Step Si 4: the bsdr 200b inputs the deceived pieces bf informktibh IDv, t arid y\ into a ohe-wky fu'hction 
calculator 522, and then applies its outputs = f (IDv, tiyi) and the piebes of information Si and Ni of his 
owh: read but *bf* the merribrV 511^ ib a modulo power c'alculator 5i^3 to calculate mod Nii The output of 
the modulo pbwer calcuisiior '52i3 ahd tiie ' pied^s of ihformatibri ^i*^^^ knd Ni are\ input into a modulo 
' multiplier 524' to cafc^^^ . ' 

/ ' 40 Yi ^ ' Si^' rribd Ni ■ ' ^ ^ ^ " ^ ' " - - 

this output of the hriddulo multiplier -524 'and j' are s^^^ Ihcidehtally, ^i**" 

^' satisfiies the* following equation as is the c^^e With the' afore-'m&htibh ^j^**' ahd it is preicalfculated and 
' ' ' ' stored ih the memory 51 1 ' . ; 

: *i<i> = ' ''not^ '^^ ' ' . ' " ' ' ' " 

45 ' Step 3i5: THb'^hop 'Sdb'ip the dufp'ut Ei of the one-way ttinctidn cafculator 322 and th^ received 
pieces of information Vi and Ni to the modulo power calculator 304 to calculate Vi^' mod' Ri. (Dh' the other 
hand, the received information j and the information Xi read out of the' rh^'mory 3lf are ^rbvided'fo the one- 
way fiinctibrt* ckiculktor 350' to calculate' fi{Xi); and' the output' of th^ oh'^wa^ furiMbri calcbiatb> 350. the 
information N^and the output of the modulo power calculator 304 are ihpiir irito the mbdulo multipiier 313 to 
50' obtain fj(Xi)* Vi^^^'mod Ni: N/ibrfeov^r. the received pieces 6f Ihforrfiafbrt 'Yi/ Ri' ah^^ Ei '^rb applied 16 tiie 
modulo power calculator 305 to calculate Yi'^-' mod Ni. the outputs of the rhbdulb power calculator 305 and 
thd modiilb muitiplier'''3l'3 ai-e applied to the conlpari&y Sbe'," wherein' whether the following 

esqiiation holds or not; ' ■ * ' " ' ■ ' * '* > ' < 

Yi/^'afiPO) • Vr ^^mbd-Ni)-';^- ' * ' " - 

55 if this equation holds, the* shb^"366 judges that the informatibri Vi is the irifbrmatibri of the transferee 200b, 
and accepts til e electronic cbih C as a V^^^ • • . , ; ■ 

■ The procedure, to be taken between ttie bank 100 and the shop 300 and tiieir functional blocks are 
substantially the same as those showh in Figs. 8C arid 9C, and hence are not shbwri. the- above-described 
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procedure differs from the previously described one in that the information group which is transmitted to the 
bank 100 in Step Sis of Fig. 8C is added with the number-of-use information j received from the user 200b. 
To detect invalid double usage, the bank 100 checks in Step Sci of Fig. 2D as to whether the set of 
information of the same values as the received set of information (Vi. Xi. j) is present in the memory ill, 

5 and the subsequent steps are the same as those Steps Sea through Scs- In the case where two sets of the 
same information (Vi, Xi, j) are exist, sets of infonnation (B. Yi) and (B', Yi') of different values 
corresponding to them also exist, and the corresponding secret information Si can be calculated. Hence, the 
user of double usage can be identified. 

As has been described above, according to the present invention, by adapting protocols of the bank, 

70 the users and the shops to attain the intended purposes, it is possible to implement electronic cash having 

' " ' the same functions as those of the prior art system, without taking into account the collision-free property of 
the two components of the function f which poses a problem in the prior art. 

By issuing the license in advance so that it is used for issuing the electronic coin, the processing for 
issuing the electronic coin involves only one blind signature generating procedure, and consequently, the 

15 burden of the processing can be lessened. 

Furthermore, the present invention permits the transfer of the electronic coin between users which is 
impossible with the prior art That is, the user who has the electronic coin issued by the bank can transfer 
the electronic coin, in this instance, if the user transfers a used electronic coin to another user, or if the user 
transfers the same electronic coin to a plurality of users, the secret information of the user who fraudulently 

20 processed the electronic coin will be revealed as in the case where the same coin is used twice. 

Moreover, the present invention makes it possible to implement a system in which one electronic coin 
can be. used a plurality of times within a fixed number of times. This system produces the same effect as in 
the case where the user possesses many coins though the amount of information to be held is small (the 
same amount of information as in the case of possessing one coin). 

25 It will be apparent that many modifications and variations may be effected without departing from the 
scope of the novel concepts of the present invention. r-- - 

Claims 

30 ■■' 

1 . An electronic cash implementing method in which a bank issues electronic cash to a user, said'-user 
pays a third party with said electronic cash, and said bank settles accounts with a party who finally 
possesses said used electronic cash, said method comprising the following steps: -- 
wherein said user: 

35 (a) generates user information based on secret information containing identification information of his 

own, through utilization of a first one-way function; 

(b) obtains signed user information by having said bank apply blind signature to information 
containing said user information: 

(c) generates authentication information based on random information through utilization of a second 
40 one-way function; 

(d) obtains signed authentication infonnation by having said bank apply blind signature to information 
containing said authentication information; 

(e) sends, as said electronic cash issued by said bank, electronic cash information containing said 
user information, said signed user information, said authentication information and said signed authentica- 

45 tion information to said third party; 
wherein said third party: 

(f) verifies the validity of said signed user information and said signed authentication information 
contained in said electronic information received from said user; 

(g) if said validity is verified, generates and sends an inquiry to said user; 
50 wherein said user: 

(h) generates a response based on at least said secret information generated by himself and said 
inquiry received from said third party and sends said response to said third party; 

wherein said third party: 

(i) verifies the validity of said response through utilization of said user information and said 
55 authentication information contained in said electronic cash information received from said user and, if said 

response is valid, receives said electronic cash as valid one; 

(j) sends said electronic cash information, said inquiry of said "third party, and said response of said 
user to a fourth party, as required. 
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2. The eleetronic eash. implemerrti.ng rriethod of claim 1. including a step^yyherein haying w.hen received, 
frorii a, final party who pos^es^ses . said used electronic cas.h, inform^tiqn cor^taining' said electronic cash 
information, said inquiry generated/. said third, party andj said response generated , by =,said user for 

: settlement o.t ..accounts, .sai(j, bank.. y^^rift.es the signed user infornnation and.-. said signed 

5 authentication infiormation .containe^i-iri^ said . electronic cash information and the validity of .said; response of 
said.user to said .Inquiry r Pisa . . ....... ..^ - 

3. The electronic cash implementing method of claim 2, wherein the step for settlement of accounts 
, ..; include,? a step wherein sai<d:;ban^:..,-,^^^ :* ... 

, detects invalid usage of sarcl electronic cash; fcfy jsaid.user .by checking whether or not a pair of pieces of 
■w. information of the „sam.e .values asitbe pair of said user information and said authentication information 
contained in said electronic cash exists, in information stored in a.-memory of said t)ank;'and . 
.wr . storejs; information containing , said electronic cash information, .said iriquiry; and - said response in said 
/; . j'rnemory/ ^ _ . V - , . . . . 

4. The electronic cash implementing method of clajm 2, yyherein said user possesses said signed user 
75 infprrnatipn .as a license issued by said bank; in case of necessity! said user has said, bank apply blind 

signature to information .containing said authenticatipn. info^^^ and said Ifepnse. .to. P^^ signed 

authentication information and uses said. signed authentication infprrnatipn. thus obtained, a?, an electronic 
,. .coin issued. ..by said ^bank; .when said, user use?: said electronic, coin, he. sends an .Information group 

containing: at .least said Hcense^ said . electronic, cpin* . said ; uspr , infprrnatipn and said authentication 
20, information, as said electronic cash,, to said third party; and said thjrd party.and said.-jDank verify the validity 

of said ,sjgned- user information' and said signed authentication .-information as , the verification , of the validity 

, of .said JicenS^; and said . , . ;• ■ . . — 

5. The electronic cash implernenting methQd of claim 4* wherein. said- final. party is said, third party; said 
fourth party <iS/ said bank; and said, inquiry-generated by. said thii^d p information of 

25 said third party and time information. . . . . . . 

6. The electronic cash implementing method of claim 4, wherein said third party has secret information 
and license of his own; and wherein when having verified that said response from said user is vaJid. said 
third party sends said license of his own to said user, and said user signs said third pa.rty.-ai license and 
sends said signed license as a deed of transfer to said third party. 

30 : |7.: The: electroRiGi^gash .irn.ple.menting, nriethod of .qlaim S. tWhesrjeiniSait^ final.jp^rty^i^ said fourth party: 
said,:fourt.h;:pa^^y.^rec?^yes;,^ said; third, parjy at .least, said user- s^^^^^^^ said user 

information., saidi.authenticatipn Jnfp response which hay e- been, prese user, and 

said third party's license, said third party's user information and said inquiry presented by said third party; 
• . said- fourth, party ^ • :\- ; 

35 verifies the validity of each of said user's licensa and said .electronic coin; 
verifies the.yalidity .of .said user's res^^ 
verifies the validity of said third party's license; 

generates ani.inqpiry cpntaining^iijSeintjficatipn infonrnation of s,a.iql;; fourth party himself and time information 
and sends said inquiry to said third party: said third party: 
.- 40 generates: .a;':r§?poci5.e baseci ^pn jsaid, to secret information and 

information generated based on said user's authenticatioi>; infprrnatipn. a^ said . response to said 

fourth party;,: j-; • . ■ -v; > . ■■ ■ ' 

. . said fourtti paijty: .. ,- ^ . : ;. . 

verifies tiie validity of said tiiird party's response through utilization -of said third party/s .user information. 
45 said fourth party's inquiry and said user's autiienticatton information; and . , 

s.en.d.Si to, sai.ct bank , jnfprmatip.n Gontairiing , said eleqtronic cash jnfprmatipnv ;?a.id third party's inquiry, said 
user's response, said third party's ,!ipern^se,;Said third party/s ;us,er/.informati^ said fourtfi;iR^f1ty'5 '"Quiry and 
said third party's response. .. . ; ■ . ; , : , 

8. The electronic cash implementing metiiod of claim 7. wherein said step for the .settlement of 
50 . ac.eounts incl.udes.a step; -wherein said baqk yenfies. the validity of said third party's response to said fourth 

party's inquiry;, a, step, wherein said, bank , delects jp^^ electronic cpin, by said third party by 

checking whether or not an information group of the same values as an inforrnatipn group of said user's 
; . authentication infpnrnatipn and said :third. party's u?er information exists: in inforrnatipn stored in said memory 
. of said banljcv: .and ;a, step yvherein. said bank stores therinfprmation including, said electronic cash information. 
55 said Uiird party's inquiry and said user> resporise into said memory.. . . , 

9. ' The; elgctfopre pash irnplementing rnethod of claim 4, wherein said bank- permits said electronic coin 
to be used a predetermined number K of times; in response to said third, party's inqjuiry jn a j-th (where 1 ^ 
i S K) use of said electronic coin, said user generates said response based on said user's secret information 
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and information calculated from said user's authentication information through utilization of a one-way 
function which varies using said value j as a parameter, and said user sends said response and said value j 
to said third party; and said third party verifies the validity of said response through use of said inquiry, said 
user's authentication information, said user's information and said value j, and inserts said value j into said 
information to be provided to said fourth party. 

10. The electronic cash implementing method of claim 9, further including, a step wherein when having 
verified that said response from said user is valid, said third party sends license of his own to said user; 
said user signs said third party's license and sends said signed license as a deed of transfer to said third 
party; and said third party verifies the validity of said deed of transfer. 

11. The electronic cash implementing method of claim 9 or 10, further including a step wherein said 
bank receives also said value j from said final party and detects invalid usage of said electronic coin by said 
user by checking whether or not an information group of the same values as the information group of said 
user information, said authentication information and said value j exists in the information stored in said 
memory of said bank- 

12. The electronic cash implementing method of claim 1. 2 or 4, wherein said step of making said bank 
apply blind signature to said information containing said user information, includes: 

a step wherein said user processes said information containing said user information with a one-way blind 
signature preprocessing function using a randomizing random number as a variable and sends said 
randomized infonnation as randomized user information to said bank; 

a step wherein said bank signs a part of said randomized user information with a signatura:.function and 
returns said signed information as signed-randomized user information to said user; and 
a step wherein said user removes the influence of said, randomizing random number from said signed- 
randomized user information with a blind signature postprocessing function to thereby obtain, said signed 
user information. 

13. The electronic cash implementing method of claim 12, further including: 

a step wherein said user generates k pieces of said secret information, k being an integer equal to or 
greater than 2, and k pieces of each of said user Information and said randomized user information 
corresponding to said k pieces of secret information, respectively; and 

a step wherein having received said k pieces of randomized user information, said bank demands^-said user 
to present a predetermined number of groups of data containing said secret information...and said 
randomizing random numbers used for the generation of those of said randomized: user, information 
selected by said bank, calculates sard selected pieces of randomized user information from sai.ctgroup of 
data obtained from said user and verifies that the calculated results each coincide with the corresponding 
one of said randomized user information received from said user. 

14. The electronic cash implementing method of claim 13, wherein said part of randomized user 
information is a predetermined second number of pieces of said randomized user information other than 
those used for said verification and said bank sends said predetermined second number of pieces of said 
signed randomized user information to said user. 

15. The electronic cash implementing method of claim 1, wherein said step of making said bank apply 
said blind signature to said information containing said user infonnation and said step of making said bank 
apply said blind signature to said infonnation containing said authentication information, include 

a step wherein: 
said user 

generates k, k being an integer equal to or greater than 2, pieces of said secret information Si each 
containing said identification information IDp, generates k pieces of said random number information Ri, 
generates k pieces of said user information Vi and k pieces of said authentication information Xi on the 
basis of said k pieces of secret information Si and said k pieces of random information Ri by use of said 
first and second onerway functions, generates k pieces of said randomized user information Wi each 
randomized by applying each of said k pieces of user information Vi as a variable to said one-way first blind 
signature preprocessing function, generates k pieces of said randomized authentication information 2i each 
randomized by applying each of said k pieces of autiientication information Xi as a variable to said one-way 
second blind signature preprocessing function, and sends said k pieces of randomized user information Wi 
and said k pieces of randomized authentication information 2i to said bank; 
said bank: 

selects a predetermined first number ki of pieces of said randomized user information and k pieces of said 
randomized authentication information from said k pieces of randomized user information and said k pieces 
of randomized authentication information, respectively, where ki is smaller than k. specifies ki information 
groups each containing said secret information Si and said random information Ri used for generating said 
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faridoirriized user information Wi and said randomized authentica1?on inforniation . Zi sej^pcted by said bank, 
' ' and "denS'ahds said user '^^ present said specified ki information groups; . ^. . 

^aidf user: ' ' ' / . , ''^■.•-f. 

sends to saii "bank said "ki infdrmai^^^^ ' ! . ! . , ■ 

s said bank: ^ ' . ,1. o,* ' 

c^IciGlates's£il8*'ki randBmized uster ihforhaatibh Wi and said.kr faiidomized authehfc Zi on 

' the b^sis of Said information groups received from said User/ Verifies that 'the ^k^ pieces of randomized user 
• MnifoViiiation ' W^^ the ki piec^ of' randomized authent^^^^ informat^^^^ Zi' thus 

calcuiated respectively coincide with said selected ki pieces of randoniized user infor^matipfi' wi and said 
;6 selected ki t)iedfes of ' randomised auti^^htication ihiformatioh 2, cbrifirni 

• IDp of s^id us6r is contained in dll iDifeces of said selcret information Si in said i'hfcrmation grou^ received 
- iFrom''said' liser^, generates 'a 'pfedeWrmined -rtum of pieces of sigried--randdmi zed 'user' irif^ Qi 

• ' by sighing; Wifii a first sign^Ure Kihction/ ka pieces of rdridonhized user Information among said k pieces of 
randomized user information Wi received from said user, except said selected ki piece'^ of randomized 
15 user ihfdrmatidh, sends s^id^ ki pieces of 'sigried-raiiridonrtlzed user information Q-, td said user, generates ka 
pieces of signed-rariddrhiidd' ^utheVitic^ ihfdrmaitidri Gj* by sighing, with a second sigriature 'function, kz 
fiieteis of rMndbiriized authehtica^idri infbTmati'on arhohg' ' said k pieces of rariddrtiized authentication 
' • informtion Zi'^^Ve'eeWed f fern sWd' us'er; except sa^^^ ptedes of fariddmized 

information, and sends said k^ pieces df signed-randdrfiized Authentication information 6i to said user: and 

' io- s^td B^er:'' ' ' ' ■ ' ' 

derandomii:es said ' fe* pieces of ^igried-raridorriized User Ihforrhatidri Q, and 's t<2 pieces of signed- 
^ raridbiriized'autheritit^^^ 9(' with fiirst ahd secbnd diind ^igjnature postproq^ssing functions, 

•v.- respectiveiy/'to obtaih kz pi^c^s of said signed iiseif' ihfdtroa^^ fivi ahd k2 pieces of' said signed 
authentication information Bxi; . . , . 

25 wherein processing Veiated to said signed user inforrh^^tidii and said sighed authdhtication information in the 
use of siaid eledt^driie cstsh is performed for said second number 1^2 ' of pieces of signed user information 
^iid sad = second riUniber k^ of piieces^ 

16. The electronic cash implementing nieithdd of da^ V' 

said user: * - ' • ■ ■ --^^ '',^^"VV. 

■ 30 ' geheirates.k prime nurnbers U, k pairs 6f secret prirh^ niimbdrs Pf and Qi. and k prime-hgnhber products Pi 
X Qi = Ni; caidulate^ isaid user infdiTnatioh vi arid sslid ^uthen'tiddidh infbrm^tioh;^ secret 
ihformatidn Si and' said ' randb^^ by use of ^aid fi^st £!hd'^'^^^^ 

' respectively expressed by thei fdilow - . ■ . i.. . . .-i. . 

Vi = Si"-* mod Ni ■ - ' ' ' ' ' ""'[ " 

3^^ Xi =-R^' rhc«j Ni - ' • • ^ ■ '\ 

■ whei^b i''^'^; ..1. k. ■ _ • ' ' T . . 

•17. tfie'elebtrdnic cash inlplem^htihg hibthbd of ciairil 16. wherein said fihai party is said third party 
and said fourth party is said bank, and further includirig a step wherein wheiri Using said electronic cash with 
• - "' - respect to' siid' third' p^^^ usei- s6hds" k2 set^ bf " inform atic) n {Vi. BVi.^)^ Bxi} as electronic cash 
' ■^4&' • information to said third party; tbgethei- with said [i^rime^ri'urtiber product Ni and said prirrie' number Li; said 
third party' prdduceS^k2 dieces of said ihqUiry qi' aiid sends th^m td'^ald' uber, and for said k2 Items i, 
calculates inquiry information B by use of an inquiry function B = f(qi); said user Calculates *k2 pieces of 
inquiry information Ei from said inquiry by use of said inquiry function Ei = f(qi), and generates and sends 
' to^aid third party k2 f^spon^es expres^^^ 

^=-Ri'§i^irhdd Mi; ' ' ' * . .. • v -. - [ . 

' and sa|d thilrd p^rty Verifies the Validity of said' I'espbriSe^Yi^by dhed^^^ tii ensUire that thfe following 
veirifidaLtidh eqOatioh hblds for all of ka items i, by Use of said'resporis^^ Yi- . . . . 

Yi'^ 3 Xi*Vi^'(mdd Ni). * ' ' '''' ; '^y-'' " ■ ' " ' 

18. the electronic cash implenriehting' mfethbd of claim 17, further inclijdingj a step wherein said third 
50 party sends to said bank said electrdn id cash infbrmatidn {Bi, Bvi; Xi. Bxi}, said inquiry qii said' response Yi 
and said information U and Ni for all of the ki itertls i foi' settlement of said feleCfrbhic cash; said bank 
' verifies the validity of said response Yi td said ihduiry ' (lbv. l yi) by checking^ wfti^the^ hot the following 
verification equation holds' fbr aii* of the k2 ite^ '-^i ' j - 

Yi'^3Xi'Vi^'(mod Ni). ' ........ V.V ./ " 

" 5S 19. Thb el^'ctrbhic cash implertiehting method of claim 18. further tnciUdin^ ^ bank 
checks whbtfier or not a pair drinforrriatidh of the same values* a^ a pair bf sad' useir iiifbrmati^^ and said 
■ ' authentication 'information* {Vi;' Xi} i-eceivgd from said third p^rfy exists, in said memory of sa^ bank; if such 

• ^ ' pair of irifofmeitibh dbeS 'Wbt'efxi^. saiid bank stbr^s ih said menridry the' information received fforiri said third 
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party; and if such pair of information exists, said bank reads out the corresponding inquiry qi and response 
Yi' from said memory, calculates inquiry information Ei - f(qi') from said read-out inquiry qi . solves, by 
the Euclid's algorithm, integers a and jS which satisfy the following equation: 
a'Li + ^ (Ei - b') = 1, 
s calculates secret information Si by the following equation: 
Vi*='*(WYi')^ mod Ni = Si,. 

and detects from said calculated secret information Si identification information IDp of said user who 
invaiidly used said electronic cash. 

20. The electronic cash implementing method of claim 4, wherein said step of obtaining said license, 
w includes a step wherein: 

said user: 

generates k, k being an integer equal to or greater than 2. pieces of secret information Si, each containing 
said identification information, generates k pieces of said user information Vi from k pieces of said secret 
information Si by use of said first one-way function, generates k pieces of said randomized user infornnation 
75 Wi by applying, as a vanable. information Mi containing said user information to a one-way first blind 
signature preprocessing function, and sends said k pieces of randomized user information Wi to said bank; 
said hank: 

selects a predetermined number ki , kt being smaller than k, of pieces of said randomized user information 
from said k pieces of randomized user information Wi received from said user, and demands said user to 
20 present specified number of sets of information containing said secret information used by said user for 
generating said selected randomized user information; 
-said user. 

sends said specified ki sets of information to said bank; - - ' - v; 

said bank: 

25 calculates ki pieces of corresponding randomized user information Wi from said sets of information 
received from said user, verifies that these calculated pieces of randomized user informatiori-Wi respec- 
tively coincide with corresponding pieces of said randomized user inforrnation Wi selected by said bank, 
confirms that said identification information IDp of said user is contained in each of pieces of said secret 
information Si In said sets of information received from said user, and generates a predetermined number- 

30 kz of pieces of signed-randomized user information Q; by signing, with a first signature function, k? pieces of 
said randomized user information among said k pieces of randomized user information Wi received from- 
said user, except said selected ki pieces of randomized user information, and sends said k2 pieces of 
signed-randomized user information Qi to said user; and '-^^ 
said user: 

35 obtained k2 pieces of said signed user information Bi by derandomizing with a first blind signature 
postprocessing function each of said ka pieces of said signed-randomized user information Q; received from 
said bank; and 

wherein said user uses said k? pieces of signed user information as said license issued by said bank. 

21. The electronic cash implementing method of claim 20, further including a step of issuing said 
40 electronic coin, wherein 

said user generates ka pieces of said random information Ri, generates from said ki pieces of random 
information kz pieces of said authentication information Xi by use of said second one-way function, 
generates said randomized authentication information Z by applying, as a variable, information m containing 
kz pieces of said license Bi and ka pieces of said authentication information Xi to a one-way second blind 
45 signature preprocessing function, and sends said randomized authentication information Z to said bank; 
said bank: 

generates said signed-randomized authentication information 9 by signing with a second signature function 
said randomized authentication information Z received from said user, and sends said signed-randomized 
authentication information 6 to said user; and 
50 said user: 

obtains, as said electronic coin C, said signed authentication information by derandomizing said signed- 
randomized authentication information 9 with a second blind signature postprocessing function. 

22. The electi-onic cash implementing method of claim 21 . further including a step wherein: 
said user: 

55 generates k prime numbers Li. k pairs of secret prime numbers Pi and Qi and k prime-number products Ni 
= Pi X Qi, calculates k pieces of said user information Vi from k pieces of said secret information Si by- 
said first one-way function expressed by the following equation: 
Vi = Si"^ mod Ni, 
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where i = 1, k. , ^ . ... 

23. The electronic .-p^st] implementing, method of .claim 22,, fuiiJier including a step yyherein, supposing 
said k2 items i = 1, .... ka, 

said user: .... .. .... 

s generates ka pieces of said authentication infonmation Xi by said second oneryvay fiinctipn expressed by the 
- fpjlpwing equation:.; j. / , . • = - , . • , . . ..\ . ; 

XI = i^ii"-' mod Ni. ' ' - = !*\ ." " ' ' 

vyherein t. fe. ;■ . v. ; ■• . 

24. The electronic cash implementing method of claim 23. wherein said final party, i^ said third party 
10 and said fourth party is said bank, and further including a step wherein: - , . 

said user: . . ........... 

when . using sai<^ eJectrpnic cpin;.C, ^furnishes said" tfiird party wjth .said elpptrpnic cash informs 
. .. said .electronic: coin C, k2 piep^s of said licens^ Bi, ka. pifpe? of .said yseMnforniation Vi^'g^ pieces of 

said authentication inform.ation Xi.^along. with kg> safdi prime numbers. Li and.^ kg. pieces orsaid., information Ni; 
J5 said third party: . . " - ■ • 

generates said inquiry qj, furnishes said user with said inquiry qi, and calculates k2...pi<eces of inquiry 

information B. by an iriquiry function B -. f(ql),i. .,.. J . . ............. 

. . said usen ... ^ ^■ .'. . , .... '77^- 

generates inqijiry information B from said inquiry qi by said inquiry function, gerierates .ica. pieces of said 
20 response Yl from said inquiry information B. said secrejt inftprmafion ,si and. said ^randbm.' info by 

the following equation: - . . . . . . ...... . . 

Yi = Ri'Si^^ mod Ni. - ^ , ^-T ^ - 

wherein i = 1 kz, 

and furnishes said third par^^^ . ■ . . / =. . / 

,25 said third party; . . ■ ..^ . ^. i. 

. verifies the validity ,Qf said response Yi by checking it. to ensure- that a verification, equation expressed by 
the following equation; ... ... . 

. . Yi^^Xi-yr^' (mod^N^^^^^ . ... ' 

. where i- = -1, k2.- . ^ . ■ * - '■ , 

hpidSi by use ,of said inquiry, information B generated-, by- himself ,and, said . user, information Yi and said 
. authentication, informatipri Xi^r^ic^ived frpm.said^ and regards said electronic coin c' as valid ^ 

25. The electronic cash implementing rriethqd .qf plam. 24.,, further, inclu^^ a step, yyhexein: 
said third party: 

furnishpSi, fpr 5ettlement of said electronic coin, said bank with information containing said! electronic cash 
^35 information {Yi, Xi, Bi, G.}..said p;ime-number products Ni, said prime numbers Li, said inquiry qi and said 

response Yi; ' 
, ..said bank:., . . ' " ' ' ' ' 

yerifies the validity , pf said , response Yi to said inquiry qi by checking that tbe. following .equation holds: 

Yi"aXi*Vi^(mod Ni). ' ^ ' ' ' " / ' 

.40 where i = ka. . , . ^ 

Zp- The electronic cash,, implefmenting method of . claim 25, further including a step . wherein said bank 

checks;, vyhether or not a p^ir qfj.informa^tion of the same values as a pair, of said user inform'ation and said 
^ . ..^ .authentication infpcmation {Vil xi} received frorn said fourth party exists, in said ^rnertioryi qf siaid bank; if 
, . :SucH a pair -pf information dpes npt e^^ said, bank stores in said memory th.e information i-eceived from 
45 said fourth party: and if such a pair of information exists, said bank reads out the corresponding, inquiry qi' 

and xesponse Yi frprn said rriemory, caiiculates inquiry inforrriatipn, Ei'. .= J.(qi') from said. read-put inquiry qi' 
, solves, by the Euclid's .algorithm^ integerso and )3.whic.h satisfy,, the foilowing^^^^^ ]\ 

a'Li + ;3 (Ei - Ei')' = 1," ' . : 

calculates secret information Si by the following equation: 
50 V!'^*(Yi/Yiy mod Ni. = Sh . , .. ' "V - . ' 

and detects frorn sad;.c;aJpulatfd se^^ Si. identification information, of said .usgr^'who invaiidly 

used said electron iCt.cpip. . ,- , .. ^ ..... 

27. The electronic cash implementing method of claim 23, wherein said final party is sai.d fourth party. 

and further including, a step wherein;. - , 
55 , said .user: . ... . y . ....... . ' 

when sending said electronic coin to said third. p^y,. furnishes said..third. party. with informatipn. containing 

said electronic cash information {Vi, Xi» Bi, C}, said prime-number products Ni and said prime numbers Li; 

said third party: 
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generates k2 pieces of said inquiry e-, and sends thern to said user 
said user: 

generates k2 pieces of response Yi from said inquiry et, said random information Ri and said secret 
information Si by the following equation: 
5 Yi = Ri'Si^i mod Ni, 

where i = 1 ^z, _ 

and sends said kg pieces of response Yi to said third party; 
said third party: 

verifies the validity of said response by checking it to ensure that the following equation holds: 
70 Yf'-'sXi'ViM (mod Ni). 
where i = 1 , ka, 

and furnishes said user with kz pieces of license Bi of said third party; 
said user: 

generates a deed of transfer T by applying a signature, with use of the prime-number Ni of said user, to 
T5 said ka pieces of license Bi and sends said deed of transfer T to sad third party. 

28. The electronic cash implementing method of claim 27, further including a step wherein: 
said third party: 

when using said electronic coin, fumishes said fourth party with the information Ni. Li, sad electronic cash 
information {Vi, X. Bi. C}, said deed of transfer T. said third party's inquiry^ gj. said user's response Yi. said 
-20 third party's license Bi. and said third party's prime-number products Ni, prime numbers Li and user 
; information Vi used for generating said third party's license Bi; 

said fourth party: 

verifies the validity of said response Yi of said user by checking it to ensure that the following equation - 
holds: 

25 Yi'-'aXi'Vi^i (modNi). 

where i = 1 kz. . 

generates an inquiry qi, sends said inquiry qi to said third party, and calculates inquiry information Ei from 
an inquiry function. Ei = f{qi); 

said third party calculates inquiry information Ei from said inquiry qi received from said fourth party by said 
30 inquiry function Ei = f(qi), generates a response Yi from the following equations: ^ 

? = Xi^'Li mod Ni, 7 
Yi = *i'Si^ mod Ni. 
where i = 1 ka 

and sends said response Yi to said fourth party; and 
35 said fourth party: ^ . " 

verifies the validity of said response Yi of said third party by checking it. through use- of said user's 
authentication information Xi, to ensure that the following equation holds: 
YiL' a Xi*Vi^ {mod N)i, 
. -N where i = 1, ka- 

' 40 29. The electronic cash implementing method of claim 28. further including a step wherein: 

said fourth party: 

for settlement of said electronic coin, furnishes said bank with said electronic cash information {Vi, >0, Bi, 
C}. pieces of the information Ni, Li and Yi of said user, said deed of transfer T. the information (Ni, Vi, Li. . 
Bi, €u Yi} of said third party and said inquiry qi of said fourth party; 
45 said bank: 

verifies the validity of said response Yi of said user and said response Yi of said third party by checking 

them to ensure that the following equations hold: 

Yi'-'aXi'Vi^i (modNi). 

where i = 1 kz. 

so Yi a Xi'Vi^ (mod Ni). 

30. The electronic cash implementing method of claim 29, further including a step wherein said bank 

checks whether or not a pair of information of the same values as a pair of said user information and said 

authentication information {Vi, Xi} received from said fourth party exists in said memory of said bank; if 

such a pair of information does not exist, said bank stores in said memory the information received from 
55 said fourth party; and if such a pair of information exists, said bank reads out the corresponding inquiry qi 

and response Yi' from said memory, calculates inquiry information Ei' = f(qi ) from said read-out inquiry 

qi'. solves, by the Euclid's algorithm, integers a and 0 which satisfy the following equation: 

a-U ^ (B'- B') = 1. 
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calculates secret information Si from the following equation: 

yi''MXW')jS-rnQd,N|. = Si, */ * ■ 

and detects from said calculated secret information Si the identification information of .s,i|id user who 

invalidiy used said electronic coin C. 

5 31 . The electronic cash implementing method of claim 29 or 30, further including a step, wherein said 
bank checks whether or not a pair 9f.,inf<^rrnat^or^ ^of the. same values as a .pair {Vi. of said user 
information Vi of said third party and said authentication information Xi of s^d user received from said 
fourth party, is stored. JO|r said... mempry. of said .bank; if su.ch 9 pair of information is not found, said bank 
stores in said memory the information received from said fourth party; and.. if. such ^. pair of information is 

TO found, said bank reads out the conresponding inquiry qi of said fourth party arid the response Yi' thereto of 
said third party from said rnemory, calculates inquiry information B. = f(qi ) from, said read-out inquiry qi', 
solves, by the Euclid*s algorithm, integers a and & which satisfy the foi lowing equation: 
. a-Li + (Ei- Ei') = 1, .. ^ _ 

calculates secret information Si Jrom the foilowi 

75 Vi^»(Yi/riy mod Ni = si/ V . " • " V . 

and detects from said calculated secret information Si the identification information of said third party who 
invalidiy used- said electronic coin C. 

32. The electronip cash implementing method of claim 23, where iri, said b^rik allows/saib electronic coin 
to be used a predetermined number K of . tirnes,. said final party is said third party and 'said/fpurth party is 

20 said bank, and further including a step wherein: . ^ . \.'" V 

said user: . ' [ | ' ' 

furnishes s^d. third, pa^rty w)^^^ electronic cash, information {Vi. X, Bi,.C} .and']nfprmatiori {Ni, Li} at the 
time of a j-th use of said electi-onic coin by said user, where 1 ^ j ^ K; ' 

said third party: . . '',=^.'' 

25 generates kj pieces of said inquiry qi, sends said inquiry qi to said user\ "and.'calculates mquin/ infermation 
by an, inquiiy function B,=f- f(g^^^^^ . -.'-v.. - v., 

said user: ' ' " . . ! . ' * ' ' * 

calculates said .inquiry, i^^^ said, inquiry qi by^s3!d.inf]%y..f f(qi),,,, gene rates said 

response Yi from, .the foijpwing equations:.' . . . . ? ". ' " * ' " 

30 = fjP<i)"*^ mod Ni, - • 

where i = 1, ka, 

Yi = ^i^j^'Si^'mod Ni. ' ' ' ' ' 

sends said response Yi to said third party, where fj(Xi) is a function of Xi which varies with j as a parameter: 

and 

35 said third .parly: . ..^ 

verifies the validity of said response Yi fciy checking, it to. ensure that,the fpllpwing equation hoids: 
Yi^afj{Xi)*Vi^' (mod Ni), ' - 

where i = 1 ka. 

...3^,,Jp^ eiegtronjc .cash implementing- method of claim 23. wherein said. bank , a! lows said electronic coin 
40 to be used a predetermined number K of times, and further including a step wherein: 

saidi -user:; • - • . '. ■ . 

furnishes said third party, with said electronic cash information {Vi. Xi, Bi. C} anjd in^rmation (Ni. U} at the 

time of a Hh use of said electronic coin, by said user, where 1 ^.j |! k; 

said third party generates said inquiry €i and sends it to said user; 
45... said. user. • , , . .. ' " 

generates said response Yi by the following equations with use of said inquiry' Cj:' ' ' . 

*i*i^ = ^po)^'"mod Ni, ■ " ' ^ ' li.'^ ''2 

where i = 1 ka. 

Yi - *t^^^*Si* I mod Ni, 

SO and , sends said response Yi to said third party, together with j, yyhere fj{Xi) is a function, pf Xi which varies 
with j as a parameter; . , . ' . 

said third. party: . , , *. .,' ..... 

verifies, the validity of said .response Yi by checking it to ensure" that the' following, equatioii holds: 

^r. YjV^a^po)*^ ; * ' ' " . ' V 

55 where i = 1„...1^ k2. >■,.". 

and furnishes saicl_ user with a. license Bi, where i = h ka. vyhiqh said^third party has: . 
said user: ' ' . * 

generates a deed of transfer T by applying a signature, with use of a prime-number product Ni of said user, 
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to said license Bi of said third party and sends said deed of transfer T to said third party. 

34. The electronic cash implementing method of claim 33, wherein said final party is said fourth party, 
and further including a step wherein: 

said third party: 

5 when using said electronic coin C, furnishes said fourth party with^aid electronic cash Infornnation {Vt, Xi, 
Bi. C} information {Ni, Li. T, Yi. j} of said user and information {Ni, U, Bi, e;} of said third party; 
said fourth party: 

verifies, the validity of said response Yi of said user by checking it to ensure that the following equation 
• hold: 

70 Yi'^sXi'ViM (modNi). 
where i = l ka. 

generates an inquiry qi. sends said inquiry qi to said third party, and calculates inquiry infornnation Ei from 
an inquiry function B = f(qi): 
said third party: 

.75 caiculates said inquiry function B from said inquiry qi by said inquiry function Ei = f(qi), generates a 
response Yi by the following equations: 
^<i> = fj(Xi)»'l-' mod Ni, 
Yi = *i'j^*Si^mod Ni. 
where i = 1, .... k2. 
^ 20 and sends said response Yi to said fourth party; and 

said fourth party; 

verifies the validity of said response Yi of said third party by checking it to ensure that the following 
equation holds: 
Yt^'Efj(Xi)»Vi^ (mod Ni), 
25 where i = 1, ka. 

35. The electronic cash Implementing method of claim 32. further including a step wherein, when 
having received information containing said electronic cash information {Vi, Xi, Bi. C}. the information {Ni, 
Li. Yi. i} of said user and the inquiry qi of said third party, from said final party for settlement of said 
electronic coin, said bank calculates inquiry information Ei by said inquiry function B = f(qi). and checks 

30 whether or not a set of information of the same values as a set of said user information Vi, said 
authentication information Xi and said j is stored in said memory of said bank; and if such a set of 
information is found, said bank reads out the corresponding inquiry qi of said third party and the 
corresponding response Yi of said user from said memory, calculates inquiry information Ei = f(qi ) fi'om 
said read-out inquiry qi', solves, by the Euclid's algorithm, integers a and 0 which satisfy the following 

35 equation: 

a*Li + ;S (Ei - Ei') = 1. 
where i = 1 ka, 

calculates secret information Si from the following equation: 
Vi*=f'{Yi/Y)')^ mod Ni = Si. 
' 40 where i = l , kz, 

and obtains from said calculated secret information Si the identification information IDp of sad user who 
invalidly used said electronic coin. 

36. The electronic cash implementing method of claim 4, wherein said step of making said bank apply 
said blind signature to said information containing said user information, includes a step wherein: 

45 said user 

generates k, k being an integer equal to or greater than 2, pieces of said secret information Si each 
containing said identification information, generates k pieces of said user information Vi from said k pieces 
of secret information Si by use of said first one-way function, generates k pieces of said randomized under 
information Wi randomized by applying, as a variable, information Mi containing each of said k pieces of 
50 user information Vi to a one-way first blind signature preprocessing function, and sends said k pieces of 
randomized user information Wi; 
said bank: 

when having received said k pieces of randomized user information Wi. selects therefrom a predetermined 
first number ki of pieces of said randomized user information, ki being smaller than k, specifies sets of 
S3 information each containing said secret information Si used by said user for generating said randomized 
user information, and demands said user to present said specified sets of information; 
said user: 

furnishes said bank with said ki sets of information specified by said bank; 



31 



BNSDOClD:<EP 0391 261 A2> 



EP 0 391 261 A2 



said bank:, . .. ' . ... , . • . 

calculates, from said sets of information received from' said user, kt corresponding pieces of randomized 
user information Wi'. verifies that said calculated randomized user inforrnatiori„ VVi coincide witii the 
corresponding pieces, of isaid selected, randpm.ized .user, intormation VVi., respectively, cpnfinTis that said 

5 identification , information IDp of, said user is .ctppteined. in all the pieces .of. said secret jnfprmation in said 
sets of information received from said user, generates signed-i^hdbmized'user ihforma^^^ signing, 

with a first signature function, rnyltipl^x randomjzed user ioformatipn obtained from a predeterm^^^ number 

kz of pieces of said randomized user information among said k' pieces of randomized user information 
received from said user, except said selected ki pieces of randomized user information, sends ^aid signed- 

70 randomized user Information Q to said user; and 

. said.user: . ,;r. i.,.,... ■ . - - 

derandomizes said signed-randomized user information Q, received from said bank, with a first blind 
signature postprocessing function to obtain said signed user informatidn B; . , , . 

wherein said user uses said signed .user information B as. said license issued by said baifik." ' 
IS 37. The electronic cash implementing nnethod of claim 36. wherein 's^id stQ^ of issijing said electronic 
coin, including a step wherein: • : . . [ • • ■ 

said user ^ :^„. ^. . 

generates k2 pieces of said random information Ri, generates therefrom' ka' pieces* of said authentication 
information Xi by a second one-way function, generates said randomized autfontication' ihformation Z by 
20 applying information m containing said ka pieces of said authenficafion information Xi and sa B. as 

. . a variable. ..to,, a one-.vygy second blind signature preprocessirig function, and* s^rids randomized 

authentication information Z to said bank; \ . . .. , 

said bank: : . 

generates said signed randomized authentication information 8 by signing said randomized authentication 
. . 25 informatipa Z .with a second signature function, ^nd sends said signed-randoifiized authentication ihforma- 
. tipri:-© to said user; .and ^ . ...... ... . , 

• .. said user:...*- . - ■■ 

. . , . derandornizes, said- signed-randonijzed, auth information 9 with a second blind signature post- 

processing function, to obtain, said'.sign^^^ authgnticatidh informatiori as said electronic coin Gl 
30 33. The electronic cash .jmplenienting rn.ethpd.pf claim. 37. further, including a step wherein: ' 
said user: - . ■ ^- ..... . 'V..,' 

generates.: k prirrie riumbers.'Li, k. pairs ..of . secret prirne numbers Pi and.: Qi arid k prinne:niimb^^ Ni 
Pl.x Qi, calculates k pieces of saiK.usW iriforrnation v! from k pieces of said .secret'inf^^ Si by 
said first one-way function expressed by the following equation: 
35 Vi = Si"-' mod Ni, 

where i = 1 k. ... 

39. The electronic cash implementing method of claim 38, further including a' step wherein,, letting said 
ks items i be 1 ka, 

, 40 i$a\6:}^^eru'- . . r;:)3n;-r^' .■ ' .- .r- ■ \ - n- ■ - -1 

generates k2 pieces of said authentication information Xi by' usfng saicj^ s^ expressed 
by the following equation: ...... ......... ^ ' 

" ' XL=: Fii'^ nK)d Ni,. . ' V 7 ' / ■ ' - • , 

where i = 1 ka. . 

.45 ., 40.. -The. Alect^^^^^^ pash implernentingmethod, of ci^jm ,39. wherein, said final party ^s said third party 
: , , and said fourth; parftf Js siaid bjank.. and further i ncluding a, ^step wherejn; ' ^, , _ . ^ ^' / 

■ , ^ .....said user: . .. . . -* . ! 

when using said.electronic coin,, furnishes s^id third party yyith' said .efectrdhic* ca^^ containing 
.said electrpnjc .^cojn ,C. said license.. B. ka .pieces, of said, user i.nifdrmatiph .Vl., and^ of said 

50 authentication information Xi. ka said prime numbers Li and ka said prime^riUrhbef products Ni'; 
said third party: , , 

generates :said inquiry qi,. sends, said inquiry qi to said^ user, and caicujates ka pieces of' inquify information 
Ei from-an; inquiry. furictipn.B - f(^^^ . . ' , ! . . . .j , 

. said user; , . . . . .. 

55 generates inquiry, information B from said inquiry, qi by said inquiry furicfidh, *g^ of said 

response from said inquiry information Ei, said secret infdrinatibn Si and said s'ecret rahdorn "information Ri 

by the following equation . . .. \ . . 

Yi = Ri*Si^' mod Ni, ' ■ " 
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where i = 1 ka, 

and sends said k2 pieces of response to said tliird party; and 
said third party: 

verifies the validity of said response Yi by checking them to ensure that the following equation 
5 yi^sXi'Vi^' (mod Ni). 
where i = i ka 

holds, by use of said inquiry information Ei formed by himself, said user information Vi and said 
authentication information Xi received from said user, and authenticates said electronic coin as valid. 

41. The electronic, cash implementing method of claim 40, further Including a step wherein: 
70 said third party: 

for the settlement of said electronic coin, furnishes said bank with information containing said electronic 
cash information (Vi, Xi, B, C). said prime-number products Ni, said prime numbers Li,, said inquiry qi and 
said response Yi; 
said bank: 

75 verifies the validity of said response Yi to said inquiry qi by checking that the following equation holds: 
Yi'^3)0'Vi^'(rriod Ni), 
where i = 1 ka. 

42. The electronic cash implementing method of claim 41. further including a step wherein said bank 
checks whether or not a set of information of the same values as. a set of said user information and said 

/ 20 authentication information {Vi, Xi} received from said fourth party exists in said memory of said bank; if 

such a . pair of information is found, said bank stores in said memory said information received from said 
fourth party; and if such a pair of information- is found, said bank reads out . of said memory the 
corresponding inquiry qi and response Yi , calculates an inquiry information b' = f(qi') from said read-out 
inquiry qi , solves, by the Euclid's algorithm, integers a and j8 which satisfy the following equation: 
25 .a*U + ^ (Ei - Ei') = 1. V - ■ 

calculates secret information Si by the following equation: - ' 

Vi°^*(WYiy mod Ni = Si. 

and obtains from said calculated secret information Si the identification information IDp of said user who 
invaiidly used said electronic coin. ' -^^ 

30 43. The electronic cash implementing method of claim 39. wherein said final party is said-fourth party, 
and further including a step wherein: - 
said user 

. when transferring said electronic coin to said third party, furnishes said third party with inforrnttion 
containing said electronic cash information {Vi, Xi, B, C}. said prime-number products Ni and said prime 
35 numbers Li; 
said third party: 

generates ka pieces of said inquiry ei and sends it to said user; 
said user: 

; \ generates ka pieces of response Yi by the following equation 
--- '^ 40 Yi = Ri*Si^i mod Ni, 
where i = 1 ka, 

by use of said secret random information Ri and said secret information Si, and sends said response YI to 
said third party; 
said third party: 

45 verifies the validity of said response by checking it to ensure that the following equation holds: 
Yi'^eXi'Vi^i (modNi). 
where i = 1 ka. 

and furnishes said user with a license B which said third party has; 
said user: 

50 generates a deed of transfer T by applying a signature, with use of the prime-number Ni of said user, to 
said license B of said third party, and sends said deed of transfer T to said third party. 

44, The electronic cash implementing method of claim 43. further Including a step wherein: 
said third party: 

when using said electronic coin, furnishes said fourth party with the information Ni, Li, said electronic cash 
55 information {Vi, Xi, B. C}, said deed of transfer T. said third party's inquiry €i, said user's response Yi, said 
third party's license B and said third party's prime-number products Ni, prime numbers U and user 
information Vi used for generating said third party's license B; 
said fourth party: 
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verifies the validity of said response Yi of said user by ciiecking it to. .ensure thgt the following equation 
hold: ' .. . ■ • : • = ' ■ • ■ 

Yi'^a Xi'Yi^i (mod Ni). , . / ^ 

where i = 1,''...',"k2. 

5 generates an inquiry qi. sends said inquiry qi to said third party, and calculates. inquiry inforrnation B by an 

inquiry function Ei = f(qi); . ^ .. .. . . ^ 

said third party: ' '\ ' 

calculates inquiry "ihfoi'rfiatio^ qi from 'said fourth party by said , inquiry rtunction S = f- 
(qi). generates a response Yi by' the following equations 
ro. $i = Xi'"-'' mod Ni. and _ 

Yi = $i'''si^mod:Ni, ^ ; . ^'!''; ., '1 ■ " . 

' '' where r =^1,\:., ica '' ■ • • . ; - ... 

and sends said response Yi to said fourth party; and 

said fourth party verifies the validity of said response Yi of said third party by checking it to\ensure that the 
15 fdllbwing equatioH Holds: 
YiL' a Xi'Vi^ (mod Ni). 
where i = 1, .... kj, 

■ by us^' of said autKdntip^iidn ' Information Xi of said user . ' " ' , 

. \ 451 the' electVbnlc c^h implementing m of claim 44, further Ihcluding a step Vherein:. 
20 \'said^fourth partyf 'I '.^,„ '."'1 J.''!" ' ' J ^- ■ ^ ' ..' . . " 

for settlenri^nt 'of s with said electronic, cash infqrrTiati9.Q^{Vi, X. B, C}, 

' ' " said pieces pfih user, said deed of transfer T, said inf0rfnatipn''{.N Vi, Li, B, 

4 ?} of said'third p'arty aHd jaidj^ (qfof said fourth piarty;" and * ' * 

said b'ank:- **■"■'■" ' ^ o . . . ■.. . ■ • 

25 verifies the validity of said response Yi of said user and said response Yi of said third party tjy checking 
them to ensure that the following equations hold: ■ . . • ./ ■ 

Yi'^aXi-Vf i (mod Ni), , . ' - . iv 

where i == 1, .... 'ka. and ■ • 

YiLi aXi*yi«i (mod Ni). , ' ' ' .; ;.: v: 

3d 46. The electronic cash implerhentihg method "of claim '45, further including a step wherein said bank 
checks whether or not a pair of information of the same values as a* pair of said user infprmaiiqn and said 
authentication information {yi. Xi} received frqm, said fourth party exists jn said mernpry of bank; if 
such' "a pair ' of infbrm'atidn is riot found, said Bank storeis in said niembry said inform atiori' received from said 
fourth partyj and if such a pair of ihfbrrhsitioh is found, reads out of said memory an in^uir;^^ qi' and a 

35 response Yi corresponding thereto, calculates inquiry information b' = f{qi') from said read-out' inquiry qi'. 
solves, by the Euclid's algorithm, integers a and p which satisfy the following equatfcn: 
a'U + ;3 (B - Ei') = 1, : 
calculates secret information Si by the following equation: , . , 
Vi°^-(YiA^i')^ mod Ni = Si. ' ' ' ' ' [ 

40 and obtains from said calculated secret information Si the identification inforrnation jOp of said user who 
invalidty used said electronic coin C. 

471 fh^ Electronic cash implementing" method of claihn 45' "or 46, further including a step wherein said 
bank checks whether or not a pair of information of the same values as a pair' {Vu Xi}, bf said user 
information Vi of said third party and said authentication information Xi of said, user received . from said 

45 fourth' party is stoiced in said memory of said bank: if such a' pair of 'ihfpntiation is npi^iound. said bank 
stores in said memory said information received from said fourth party; and is siich a. pair of information is 
found, said bank reads out of said ^mennqry .the qprresponding inquiry qi' of ' and a 

response Yi thereto of said third parfir| caiculates' inquiry informatibri Ei' = f(qi*f from said Ve inquiry 
qi , solves, by the Euclid's algorithm, integers a and jS which satisfy the following, equation:,. 

50 a-u'+ = T. ' ^ ^ " ■ ' ' .' ' ' ^ ' . ' ' ^ 

calculates, sebret information Si from the follqwing equation: • - . , , ' " 

Vi^*(Yi/Yr)^ mod Ni'^' Si. " " ' ' ' " ' '' ^' "" ' ? 

and obtains frorp, said cajcujated secret . information SI the identification information of saiid third party who 
invaiidiy iiSed s^d'efecti-pnte^^^ ' . . ' '"J" * * " ''" 

55 " 48. the electronic casii iiin'plementing rriethdd of claim 39, wherein said barik allows. said electronic coin 
to be tis6d a pfedetermiried huitiber final party' is said' third, party arid said fourth party is 

said bank, and further including a step wihef-ein: * 
said user: 
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at the time of a j-th use of said efectronic coin, furnishes said third party with said electronic cash 
information {Vi, Xi. B, C} and information {Ni, Li}, where 1 S j ^ k; 
said third party: 

generates ks pieces of said Inquiry qi, sends said inquiry qi to said user, and calculates- inquiry information 
5 £i by an inquiry function Ei = f(qi); 
•said user: 

calculates inquiry information Ei from said inquiry qi by said inquiry function Ei = f{qi), generates said 
' response Yi from the following equations: 

vJ'i*** = fiPO)^'" mod Ni. . 

ro where i = 1 k2, and 

Yi = ^r^i^'Si^' mod Ni, 

sends said response Yi to said third party, together with j. where fjP<i) is a function of Xi and varies with j as 
a parameter; and 
said third party: 

IS verifies the validity of said response Yi by checking it to ensure that the following equation holds: 
Yi'^afj(Xi)-V!^(mod Ni). 
where i = 1, \<2- 

49. The electronic cash implementing method of claim 39. wherein said bank allows said electronic coin 
to be used a predetermined number K of times, and further including a step wherein: 

20 said user: 

at the time of a j-th (where 1 ^ j ^ K) use of said electronic coin, furnishes said third party with said 
electronic cash information {Vi, Xi, B, C} and information {Ni, Li}, where 1 ^ j ^ K; 
said third party: 

generates and sends said inquiry £[ to said user; 
25 said user: 

generates said response Yi by the following equations: 

v^i^I* = iiQCiY^ mod Ni. ' . 

where i = 1 ka, and 

Yi = ^^r<^>•si^i mod Ni • 
30 and sends said response Yi to said third party, together with j, where fj(Xi) is a function of Xi which varies 

with j as a parameter; ""J 

said third party: ' ... .. 

verifies the validity of said response Yi by checking it to ensure that the following equation holds: 

Yi*^3fj{Xi)*Vi^i (mod Ni), 
35 where i = 1 ka . 

and sends to said user the license § that said third party has; 

said user generates a deed of transfer T by applying a signature, vyith use of a prime-number product Ni. to 
said license B of said third party, and sends said deed of transfer T to said third party. 

50. The electronic cash implementing method of claim 49. wherein said final party is said fourth party, 
40 and further including a step wherein: 

said third party: 

when using said electronic coin, furnishes said fourth party with said electronic cash information {Vi, Xi. B. 
C}. information {Ni, U, T. Yi. j} of said user and information {Ni, U, B. €{} of said third party; 
said fourth party: 

45 verifies the validity of said user's response Yi by checking it to ensure that the following equation hold: 
Yi*^5Xi'Y!^I (modNi). 
where i = 1 kz, 

generates an inquiry qi. sends said inquiry qi to said third party, and calculates inquiry information Ei by an 
inquiry function B = f(qi); 
50 said third party: 

calculates inquiry information Ei from said inquiry qi from said fourth party by said inquiry functior^ Ei = f- 
(qi), generates a response Yi by the following equations: 

= xi^'^' mod.Ni: and 
Yi = ?i^i^*Si^ mod Ni, 

55 where i = 1 ka 

and sends said response Yi to said fourth party; and 
said fourth party: 

verifies the validity of said response Yi by checking it to ensure that the following equation holds: 

35 
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YiL''aXj*9i^(mocl N?). , .. .^.^ \ 

where i = 1, ke. 

5.1 . - The J eleGtronic ;.G.a,5h implementing .method . of, claim. ^8, ■ further including .a . step ..wherein, when 
having received from said final party, for settlement of said eiectrgnic coin, information, containing said 
5 electronic cash information -{Vi. Xi, B, C}. the information {Ni, Li, Yi, j} of said user and said third party's 
*• . inquiry qi. said i3aqk. c.a!cy|ates inquiry. |nfprm $Jipn. Ei .tDy ^aid. inquiry Junction Ei =. f{qi); Sjapd bank checks 
whether or not a set of information of the same values as a. set Qfh Xh, i} Pf said user information Vi. said 
authentication information Xi and said j is stored in said memory of said bank; Jf such a set of information is 
found, said bank reads out of said memory the corresponding inquiry ,qi' of said third party and the 
TO response Yi thereto of said user, calculates inquiry information b' = f(Qi') from said read-oiit inquiry qi', 
: . solves^ by tha Euclid* s algorithm. . integers a and.j3, which satisfy.. the following equation:.. 
a*u"+ ^(Ei-EiV= 1, " ' " " '" " 
where i = 1, k2, 

calculates secret.infprmatipn Si frqrn the following equation: 
;5 Vi"*(WYiy mod Nt = Si, ... 

and obtains from said calculated secret information Si the identification information IDp of s?id user who 
. ^ invaiidly .used said^e^^ . . , . , ... ^ . . .. . , 

52. An eieptroriic cash irnplementing . user sys.teni ■In, whicK bank jps.ues electronic. piash to a user and 

tiie user pays to a third party with said electronic cash, 
■ 20 comprising: . . . 

secret informatiori- genercfting- means for .generating secret inforrnatign containing identificatiqn. information; 

user information generating means whereby user information is produced. by^Luse of, a first one-way 

function, from said secret information provided from sqiid secret ..information generating' meanis; 

first blind signature preprocessing means whereby information containing said user information provided 
25 from said user information generating means is subjected to. one-way. blind signature preprocessing to 

produce randomized user information; , 

first, blind signature postprocessing means whereby signed randomized user infprmatipjri produced by 
signing said randomized user information by said bank is derandomized-to obtain signet^ user information; 
secret random information generating . means for generating se^^^^ ... 

30 authentication information generating means whereby authentication infonmation is ,prpd.uce,c!, by use of a 
second one-way function, from said secret random information provided from said, secret, random informa- 
tion, gqqeratjng rn^ari?;,^ :v . . ^ ^ > ... V'' oV^-rir*-^'/ 
second blind signature preprocessing means whereby said authentiqatipn informatiorK^/proyided from said 
authentication information generating means is subjected to one-way blind signature preprocessing to obtain 

35 randomized autiientication information; . . . , . . 

- second j.t3|ind;:Sig.natu signed authentication information produced by 

signing sai.i^I randomized .authentication . in by s^id bank is derandomized to obtain signed 

- - iautiientication ipfqr^ .- -.^^^ , .. . . ' . . /. . 

response generating means whereby a response is produced, by use of said secret random information in 

40 response to an inquiry from said third party. . , \ 

: ,53, The; user -sy stern of claim. 52r wherein sad ...sjBcqnd. ^blind signature preprop^ssing, means includes 
concatenating means for concatenating said aiuthentication information and said signed u$0r information into 
a concatenated message, and a one-way preprocessing function operator for randomizing said concat- 

, , . enatedj message, with a random number- to prpdupe said, randomized, user information. * 

45 54. The user system of claim 53. further including a one-way signature, function, operator whereby said 
user attaches a signature to signed user information of said third party provided, therefrom. . 
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© Method and apparatus for implementing electronic cash. 
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@ In an electronic cash implementing method, a 
user makes a bank apply a blind signature to user 
information Vi produced, by a one-way function, 
from secret information Si containing identification 
information, thereby obtaining signed user informa- 
tion. Further, the user makes the bank apply a blind 
signature to information containing authentication in- 
formation Xi produced, by a one-way function, from 
random information Ri, thereby obtaining. signed au- 
thentication information. The user (200) uses an in- 
formation group containing the signed user informa- 
tion, the signed authentication information, the user 
information and the authentication information, as 
electronic cash for payment to a shop. The shop 
(300) verifies the validity of the signed user informa- 
tion and the signed authentication information, and 
produces and sends to the user an inquiry. In re- 
sponse to the inquiry the user produces a response 
Yi by using secret information and random informa- 
tion and sends it to the shop. Having verified the 
validity of the response the shop accepts the elec- 
tronic cash. 
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